Mimikatz: Powerful Credentials Stealing Tool

Mimikatz: Powerful Credentials Stealing Tool

Introduction: What is Mimikatz?

Mimikatz is a powerful and well-known post-exploitation tool written in C, capable to extract plaintexts passwords, hash, PIN codes and kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket or build Golden tickets (detailed explanation below).


It was initially developed in 2007 under different names, but back in 2014, Benjamin Delpy (@gentilkiwi) originally created Mimikatz as a PoC to show Microsoft that their authentication protocols were highly vulnerable to hacking attacks.

But today, Mimikatz’s primary purpose and usage is stealing users credentials that are logged in to a specific/targeted Windows machine. It’s almost always used for malicious purpose, although it was never build as a hacking tool. In the last couple of years it was used as a part of the ransomware worms (2017: NotPetya and BadRabbit) that were spread all around the globe.
Mimikatz 2.2.0 [Released]!

Mimikatz: “A Small Tool To Play With Windows Security”

The Mimikatz is an open-source post-exploitation (credentials stealing) tool which allows you to obtain login / password data, both from hash or clear text. You can use to attack targeted Windows machines/users and extract cleartext passwords or password hashes from memory, as well as PINs, Kerberos tickets, etc. it also provides are useful attacks such as: pass-the-hash, pass-the-ticket, pass-the-cache or building Golden Kerberos tickets. It comes in two flavors: Windows x32/x64.

This amazing and very effective offensive security tool also includes modules (listed below) and comes bundled (Mimikatz v1) with a Meterpreter script as part of Metasploit Framework.


standard privilege crypto sekurlsa
kerberos lsadump vault token
event ts process service
net misc library mimilib driver mimidrv



Storing password data in NTLM hash: Without need to crack the password, attacker can easily go trough using Mimikatz, which will then pass hash string to the target machine and allow attacker to login.

Over-Pass the Hash (Pass the Key)

Another pass-the-hash attack technique, but in this one attacker will pass a unique key to imitate a victim which you can obtain from a domain controller.


Storing password data in a “ticket” construct: capability to pass a kerberos ticket to another machine and login with that user’s ticket.


Same as the pass-the-ticket attack technique, except it uses saved and encrypted login data on OS X, Linux and UNIX systems.

Kerberos Silver Ticket

Another Pass-the ticket attack technique: this silver ticket provides easy service usage on the network. It grants a TGS ticket which can be further use to login into any services on the network.

Kerberos Golden Ticket

Pass-the ticket attack technique: specific ticket for a hidden KRBTGT account, which is able to encrypt all of the other tickets. With this golden ticket you’ll get domain admin credentials to any machine.

Mimikatz Install


  • mimikiatz and mimilib: Visual Studio 2010+
  • mimikatz driver, mimilove and ddk2003 platform: Windows Driver Kit 7.1 (WinDDK)

Install Steps:

  1. Download from GitHub (options: git / trunk / zip).
  2. Once build, run the executable as admin (make sure you’re running the correct version suitable for targeted machine).
  3. Start extracting some passwords from the memory.
Important: Don’t forget that Mimikatz needs to be “Run as Admininistrator” in order to work properly and completely.

Basic Usage

   .#####.   mimikatz 2.2.0 alpha (x64) #17763 Apr  10 2019 00:55
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz #

First you’ll need to check do you have all the permissions (debug) to start dumping some passwords:

mimikatz # privilege::debug 
privilege '20' OK

Then start logging process using log:

mimikatz # log logfilename.log

If everything goes well and without errors, you can start by outputting cleartext passwords:

mimikatz # sekurlsa::logonpasswords

For more information, usage examples and detailed explanations click on the “documentation” button below.

Documentation Box
Download Box