!This program cannot be run in DOS mode.
Richy':
`.rdata
@.data
.pdata
@.rsrc
@.reloc
t$ WATAUH
|$DRUUU
KSSMukHc
x ATAUAVH
$JcD7(
D70fB+D7,f
JcL7,D
9\$$vOHk
A^A]A\
WATAUH
WATAUH
A]A\_
WATAUAVAWH
A_A^A]A\_
UVWATAUAVAWH
0tDHcG,
HcO E3
HcO$E3
Lc_(E3
@A_A^A]A\_^]
UVWATAUAVAWH
PA_A^A]A\_^]
\$8f; s,H
VWATAUAVH
A^A]A\_^
LcA<E3
EP=csm
Ep=csm
E`=csm
E(=csm
E@=csm
EX=csm
Ex=csm
```hhh
xppwpp
DhcpServerCalloutEntry
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptGetProperty
BCryptGenerateSymmetricKey
BCryptEncrypt
BCryptDecrypt
BCryptDestroyKey
BCryptCloseAlgorithmProvider
CredentialKeys
Primary
[%08x] %Z
n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)
n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)
* Key List
[%08x]
[%08x]
* GUID :
* Time :
* MasterKey :
\x%02x
0x%02x,
null
des_plain
des_cbc_crc
des_cbc_md4
des_cbc_md5
des_cbc_md5_nt
rc4_plain
rc4_plain2
rc4_plain_exp
rc4_lm
rc4_md4
rc4_sha
rc4_hmac_nt
rc4_hmac_nt_exp
rc4_plain_old
rc4_plain_old_exp
rc4_hmac_old
rc4_hmac_old_exp
aes128_hmac_plain
aes256_hmac_plain
aes128_hmac
aes256_hmac
unknow
[ERROR] [RPC Decode] Exception 0x%08x: (%u)
[ERROR] [RPC Decode] MesIncrementalHandleReset: %08x
[ERROR] [RPC Decode] MesDecodeIncrementalHandleCreate: %08x
[ERROR] [RPC Free] Exception 0x%08x: (%u)
[ERROR] [RPC Free] MesDecodeIncrementalHandleCreate: %08x
credman
dpapisrv!g_MasterKeyCacheList
lsasrv!g_MasterKeyCacheList
masterkey
msv1_0!SspCredentialList
kerberos!KerbGlobalLogonSessionTable
kerberos
livessp!LiveGlobalLogonSessionList
livessp
wdigest!l_LogSessList
wdigest
tspkg!TSGlobalCredTable
CachedUnlock
CachedRemoteInteractive
CachedInteractive
RemoteInteractive
NewCredentials
NetworkCleartext
Unlock
Service
Network
Interactive
Unknown !
UndefinedLogonType
.#####. mimikatz 2.1 alpha (x64) built on May 8 2017 22:05:24
.## ^ ##. "A La Vie, A L'Amour" - Windows build %hu
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' WinDBG extension ! * * */
===================================
# * Kernel mode * #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
# * User mode * #
===================================
0:000> !mimikatz
===================================
( (
) )
.______.
| |]
\ /
`----'
lsasrv!LogonSessionLeakList
lsasrv!InitializationVector
lsasrv!hAesKey
lsasrv!h3DesKey
lsasrv!LogonSessionList
lsasrv!LogonSessionListCount
kdcsvc!SecData
krbtgt keys
===========
Current
Previous
kdcsvc!KdcDomainList
Domain List
===========
SekurLSA
========
Authentication Id : %u ; %u (%08x:%08x)
Session : %s from %u
User Name : %wZ
Domain : %wZ
Logon Server : %wZ
Logon Time :
SID :
[ERROR] [LSA] Symbols
%p - lsasrv!LogonSessionListCount
%p - lsasrv!LogonSessionList
[ERROR] [CRYPTO] Acquire keys
[ERROR] [CRYPTO] Symbols
%p - lsasrv!InitializationVector
%p - lsasrv!hAesKey
%p - lsasrv!h3DesKey
[ERROR] [CRYPTO] Init
* Username : %wZ
* Domain : %wZ
* LM :
* NTLM :
* SHA1 :
* DPAPI :
* Raw data :
* Smartcard
PIN code : %wZ
Model : %S
Reader : %S
Key name : %S
Provider : %S
%s
<no size, buffer is incorrect>
Unknown version in Kerberos credentials structure
* Username : %wZ
* Domain : %wZ
* Password :
LUID KO
* RootKey :
* %08x :
* LSA Isolated Data: %.*s
Unk-Key :
Encrypted:
SS:%u, TS:%u, DS:%u
0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:
, 5:0x%x
* unkData1 :
unkData2 :
%s krbtgt:
%u credentials
* %s :
[%s]
-> %wZ
%wZ ->
from:
* %s :
Domain: %wZ (%wZ
* RSA key
PVK (private key)
DER (public key and certificate)
* Legacy key
* Unknown key (seen as %08x)
lsasrv!g_guidPreferredKey
lsasrv!g_pbPreferredKey
lsasrv!g_cbPreferredKey
lsasrv!g_guidW2KPreferredKey
lsasrv!g_pbW2KPreferredKey
lsasrv!g_cbW2KPreferredKey
lsasrv!g_fSystemCredsInitialized
lsasrv!g_rgbSystemCredMachine
lsasrv!g_rgbSystemCredUser
dpapisrv!g_guidPreferredKey
dpapisrv!g_pbPreferredKey
dpapisrv!g_cbPreferredKey
dpapisrv!g_guidW2KPreferredKey
dpapisrv!g_pbW2KPreferredKey
dpapisrv!g_cbW2KPreferredKey
dpapisrv!g_fSystemCredsInitialized
dpapisrv!g_rgbSystemCredMachine
dpapisrv!g_rgbSystemCredUser
DPAPI Backup keys
=================
Current prefered key:
Compatibility prefered key:
DPAPI System
============
full:
m/u :
OpenProcessToken
CreateRestrictedToken
CreateProcessAsUserW
ConvertSidToStringSidA
IsTextUnicode
ADVAPI32.dll
RtlEqualString
RtlStringFromGUID
RtlFreeUnicodeString
ntdll.dll
MesDecodeIncrementalHandleCreate
MesHandleFree
MesIncrementalHandleReset
NdrMesTypeDecode2
NdrMesTypeFree2
RPCRT4.dll
GetCurrentProcess
CloseHandle
FreeLibrary
LoadLibraryW
lstrlenW
GetProcAddress
LocalAlloc
LocalFree
GetTimeFormatA
GetDateFormatA
FileTimeToSystemTime
FileTimeToLocalFileTime
KERNEL32.dll
_wfopen
fclose
vfwprintf
fflush
msvcrt.dll
memcpy
memset
__C_specific_handler
_XcptFilter
malloc
_initterm
_amsg_exit
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
mimilib.dll
DhcpNewPktHook
DhcpServerCalloutEntry
DnsPluginCleanup
DnsPluginInitialize
DnsPluginQuery
ExtensionApiVersion
InitializeChangeNotify
PasswordChangeNotify
SpLsaModeInitialize
WinDbgExtensionDllInit
coffee
mimikatz
startW
kiwidns.log
%S (%hu)
kiwifilter.log
[%08x] %wZ
KiwiSSP
Kiwi Security Support Provider
kiwissp.log
[%08x:%08x] [%08x] %wZ\%wZ (%wZ)
bcrypt
ChainingModeCBC
ChainingMode
ObjectLength
ChainingModeCFB
(null)
VS_VERSION_INFO
StringFileInfo
040904b0
ProductName
mimilib (mimikatz)
ProductVersion
2.1.0.0
CompanyName
gentilkiwi (Benjamin DELPY)
FileDescription
mimilib for Windows (mimikatz)
FileVersion
2.1.0.0
InternalName
mimilib
LegalCopyright
Copyright (c) 2007 - 2017 gentilkiwi (Benjamin DELPY)
OriginalFilename
mimilib.dll
PrivateBuild
Build with love for POC only
SpecialBuild
kiwi flavor !
VarFileInfo
Translation