!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@.rsrc
@.reloc
x ATAUAVH
A^A]A\
VWATAUAVH
|$TRUUU
pA^A]A\_^
x ATAUAVH
$JcD7(
D70fB+D7,f
JcL7,D
9\$$vOHk
A^A]A\
WATAUH
WATAUH
A]A\_
WATAUAVAWH
A_A^A]A\_
UVWATAUAVAWH
0tDHcG,
0fD9%nb
HcO E3
HcO$E3
Lc_(E3
@A_A^A]A\_^]
UVWATAUAVAWH
PA_A^A]A\_^]
[ UVWATAUAVAWH
t$HcG<
H;|80u
pA_A^A]A\_^]
VWATAUAVH
A^A]A\_^
LcA<E3
EP=csm
Ep=csm
E`=csm
E(=csm
E@=csm
EX=csm
Ex=csm
bcrypt.dll
```hhh
xppwpp
DhcpServerCalloutEntry
CredUnPackAuthenticationBufferW
CredIsProtectedW
CredUnprotectW
CredentialKeys
Primary
[%08x] %Z
n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)
n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)
* Key List
[%08x]
[%08x]
* GUID :
* Time :
* MasterKey :
\x%02x
0x%02x,
null
des_plain
des_cbc_crc
des_cbc_md4
des_cbc_md5
des_cbc_md5_nt
rc4_plain
rc4_plain2
rc4_plain_exp
rc4_lm
rc4_md4
rc4_sha
rc4_hmac_nt
rc4_hmac_nt_exp
rc4_plain_old
rc4_plain_old_exp
rc4_hmac_old
rc4_hmac_old_exp
aes128_hmac_plain
aes256_hmac_plain
aes128_hmac
aes256_hmac
unknow
[ERROR] [RPC Decode] Exception 0x%08x: (%u)
[ERROR] [RPC Decode] MesIncrementalHandleReset: %08x
[ERROR] [RPC Decode] MesDecodeIncrementalHandleCreate: %08x
[ERROR] [RPC Free] Exception 0x%08x: (%u)
[ERROR] [RPC Free] MesDecodeIncrementalHandleCreate: %08x
credman
dpapisrv!g_MasterKeyCacheList
lsasrv!g_MasterKeyCacheList
masterkey
msv1_0!SspCredentialList
kerberos!KerbGlobalLogonSessionTable
kerberos
livessp!LiveGlobalLogonSessionList
livessp
wdigest!l_LogSessList
wdigest
tspkg!TSGlobalCredTable
CachedUnlock
CachedRemoteInteractive
CachedInteractive
RemoteInteractive
NewCredentials
NetworkCleartext
Unlock
Service
Network
Interactive
Unknown !
UndefinedLogonType
.#####. mimikatz 2.2.0 (x64) built on Aug 10 2021 02:01:09
.## ^ ##. "A La Vie, A L'Amour" - Windows build %hu
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' https://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' WinDBG extension ! * * */
===================================
# * Kernel mode * #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
# * User mode * #
===================================
0:000> !mimikatz
===================================
( (
) )
.______.
| |]
\ /
`----'
lsasrv!LogonSessionLeakList
lsasrv!InitializationVector
lsasrv!hAesKey
lsasrv!h3DesKey
lsasrv!LogonSessionList
lsasrv!LogonSessionListCount
kdcsvc!SecData
krbtgt keys
===========
Current
Previous
kdcsvc!KdcDomainList
Domain List
===========
SekurLSA
========
Authentication Id : %u ; %u (%08x:%08x)
Session : %s from %u
User Name : %wZ
Domain : %wZ
Logon Server : %wZ
Logon Time :
SID :
[ERROR] [LSA] Symbols
%p - lsasrv!LogonSessionListCount
%p - lsasrv!LogonSessionList
[ERROR] [CRYPTO] Acquire keys
[ERROR] [CRYPTO] Symbols
%p - lsasrv!InitializationVector
%p - lsasrv!hAesKey
%p - lsasrv!h3DesKey
[ERROR] [CRYPTO] Init
* Username : %wZ
* Domain : %wZ
* LM :
* NTLM :
* SHA1 :
* DPAPI :
* Raw data :
* Smartcard
PIN code : %wZ
Model : %S
Reader : %S
Key name : %S
Provider : %S
%s
<no size, buffer is incorrect>
Unknown version in Kerberos credentials structure
* Username : %wZ
* Domain : %wZ
* Password :
LUID KO
* RootKey :
* %08x :
* LSA Isolated Data: %.*s
Unk-Key :
Encrypted:
SS:%u, TS:%u, DS:%u
0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:
, 5:0x%x
* unkData1 :
unkData2 :
%s krbtgt:
%u credentials
* %s :
[%s]
-> %wZ
%wZ ->
from:
* %s :
Domain: %wZ (%wZ
* RSA key
PVK (private key)
DER (public key and certificate)
* Legacy key
* Unknown key (seen as %08x)
lsasrv!g_guidPreferredKey
lsasrv!g_pbPreferredKey
lsasrv!g_cbPreferredKey
lsasrv!g_guidW2KPreferredKey
lsasrv!g_pbW2KPreferredKey
lsasrv!g_cbW2KPreferredKey
lsasrv!g_fSystemCredsInitialized
lsasrv!g_rgbSystemCredMachine
lsasrv!g_rgbSystemCredUser
dpapisrv!g_guidPreferredKey
dpapisrv!g_pbPreferredKey
dpapisrv!g_cbPreferredKey
dpapisrv!g_guidW2KPreferredKey
dpapisrv!g_pbW2KPreferredKey
dpapisrv!g_cbW2KPreferredKey
dpapisrv!g_fSystemCredsInitialized
dpapisrv!g_rgbSystemCredMachine
dpapisrv!g_rgbSystemCredUser
DPAPI Backup keys
=================
Current prefered key:
Compatibility prefered key:
DPAPI System
============
full:
m/u :
bcrypt.dll
BCryptOpenAlgorithmProvider
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptGetProperty
OpenProcessToken
CreateRestrictedToken
CreateProcessAsUserW
ConvertSidToStringSidA
IsTextUnicode
ADVAPI32.dll
RtlEqualString
RtlStringFromGUID
RtlFreeUnicodeString
ntdll.dll
MesDecodeIncrementalHandleCreate
MesHandleFree
MesIncrementalHandleReset
NdrMesTypeDecode2
NdrMesTypeFree2
RPCRT4.dll
CoCreateInstance
ole32.dll
VirtualProtect
GetCurrentProcess
CloseHandle
FreeLibrary
LoadLibraryW
lstrlenW
GetProcAddress
GetLastError
LocalAlloc
LocalFree
GetTimeFormatA
GetDateFormatA
FileTimeToSystemTime
FileTimeToLocalFileTime
RaiseException
LoadLibraryA
KERNEL32.dll
_stricmp
_wfopen
fclose
malloc
vfwprintf
fflush
msvcrt.dll
memcpy
memset
__C_specific_handler
_XcptFilter
_initterm
_amsg_exit
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
memcmp
mimilib.dll
DhcpNewPktHook
DhcpServerCalloutEntry
DllCanUnloadNow
DllGetClassObject
DnsPluginCleanup
DnsPluginInitialize
DnsPluginQuery
ExtensionApiVersion
InitializeChangeNotify
Msv1_0SubAuthenticationFilter
Msv1_0SubAuthenticationRoutine
NPGetCaps
NPLogonNotify
PasswordChangeNotify
SpLsaModeInitialize
WinDbgExtensionDllInit
coffee
mimikatz
startW
%6xD'7
Greater Manchester1
Salford1
Comodo CA Limited1!0
AAA Certificate Services0
210525000000Z
281231235959Z0V1
Sectigo Limited1-0+
$Sectigo Public Code Signing Root R460
H/(@Bp 6
2http://crl.comodoca.com/AAACertificateServices.crl04
http://ocsp.comodoca.com0
Sectigo Limited1-0+
$Sectigo Public Code Signing Root R460
210322000000Z
360321235959Z0T1
Sectigo Limited1+0)
"Sectigo Public Code Signing CA R360
FFlCx@
H/(@Bp 6
:http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0{
:http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
http://ocsp.sectigo.com0
ts7!:o
n0PPd}
Sectigo Limited1+0)
"Sectigo Public Code Signing CA R360
240604000000Z
250604235959Z0b1
Illinois1 0
McDonald's Corporation1 0
McDonald's Corporation0
D@\[2{
a1{0zYZ
https://sectigo.com/CPS0
8http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
8http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
http://ocsp.sectigo.com0
\mmYL3
Sectigo Limited1+0)
"Sectigo Public Code Signing CA R36
20250407023518Z
Manchester1
Sectigo Limited100.
'Sectigo Public Time Stamping Signer R35
Sectigo Limited1,0*
#Sectigo Public Time Stamping CA R360
240115000000Z
350414235959Z0n1
Manchester1
Sectigo Limited100.
'Sectigo Public Time Stamping Signer R350
x2<C>4C
https://sectigo.com/CPS0
9http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
9http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
http://ocsp.sectigo.com0
% 2Ka~
Sectigo Limited1.0,
%Sectigo Public Time Stamping Root R460
210322000000Z
360321235959Z0U1
Sectigo Limited1,0*
#Sectigo Public Time Stamping CA R360
;http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0|
;http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
http://ocsp.sectigo.com0
%59)$J+
G{JVHa
New Jersey1
Jersey City1
The USERTRUST Network1.0,
%USERTrust RSA Certification Authority0
210322000000Z
380118235959Z0W1
Sectigo Limited1.0,
%Sectigo Public Time Stamping Root R460
8hm)(od
?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl05
http://ocsp.usertrust.com0
avI&Q_
.TPfo:
Sectigo Limited1,0*
#Sectigo Public Time Stamping CA R36
250407023518Z0?
Sectigo Limited1.0,
%Sectigo Public Time Stamping Root R46
New Jersey1
Jersey City1
The USERTRUST Network1.0,
%USERTrust RSA Certification Authority
FzG0$q
kiwidns.log
%S (%hu)
kiwifilter.log
[%08x] %wZ
kiwinp.log
[%08x:%08x] %s %wZ\%wZ
KiwiSSP
Kiwi Security Support Provider
kiwissp.log
[%08x:%08x] [%08x] %wZ\%wZ (%wZ)
kiwisub.log
%u (%u) - %wZ\%wZ (%wZ) (%hu)
kcredentialprovider.log
Credui.dll
advapi32.dll
ChainingModeCBC
ChainingMode
ObjectLength
ChainingModeCFB
(null)
%02x%s
VS_VERSION_INFO
StringFileInfo
040904b0
ProductName
mimilib (mimikatz)
ProductVersion
2.2.0.0
CompanyName
gentilkiwi (Benjamin DELPY)
FileDescription
mimilib for Windows (mimikatz)
FileVersion
2.2.0.0
InternalName
mimilib
LegalCopyright
Copyright (c) 2007 - 2021 gentilkiwi (Benjamin DELPY)
OriginalFilename
mimilib.dll
PrivateBuild
Build with love for POC only
SpecialBuild
VarFileInfo
Translation