Mimikatz is a widely used, open-source application designed for Windows systems that allows users to view and save authentication credentials, including plaintext passwords, NTLM hashes, and Kerberos tickets from memory. Developed by Benjamin Delpy as a proof-of-concept to demonstrate vulnerabilities in Microsoft authentication protocols, it has evolved into a critical post-exploitation tool used by both penetration testers (to find vulnerabilities) and threat actors (to steal credentials and escalate privileges)
Key Features and Capabilities
- Credential Dumping: Extracts passwords and hashes directly from the LSASS Local Security Authority Subsystem Service (LSASS) process.
- Pass-the-Hash (PtH): Uses captured New Technology LAN Manager (NTLM) hashes to authenticate to other systems without needing the original plaintext password.
- Pass-the-Ticket (PtT): Steals Kerberos tickets to impersonate users and move laterally within a network.
- Golden/Silver Tickets: Creates forged tickets to gain unrestricted, persistent access to Active Directory environments.
- Data Extraction: Retrieves certificates and private keys
How It Works Mimikatz is typically used in the post-exploitation phase, meaning an attacker already has a foothold on a system. It requires elevated privileges (Administrator or SYSTEM) to read the memory of the LSASS process. It is often executed without writing to disk (fileless) to avoid detection by antivirus software. #activedirectory postexploitation tools credentials