Skip to content

Home

Jump to bottom
Benjamin DELPY edited this page May 2, 2014 · 37 revisions

mimikatz is a tool I've made to learn C and make somes experiments with Windows security.

It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, ...
maybe make coffee?

Its symbol/icon is a kiwi, sometimes the animal, but mostly the fruit!

  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                    with  14 modules * * */

How can you get it?

How can you check it?

Despite some antivirus results, mimikatz is not dangerous (not a virus, malware, or other things). You can inspect the code 😉
I sign mimikatz binaries with my personnal code-signing certificate, its sha1 digest is AB9E92B943ED47D915BC26939E24A58303ACAA7E:

C:\Users\gentilkiwi>powershell -command get-authenticodesignature c:\security\mimikatz\Win32\mimikatz.exe
[...]
SignerCertificate                         Status                                                Path
-----------------                         ------                                                ----
AB9E92B943ED47D915BC26939E24A58303ACAA7E  Valid                                                 mimikatz.exe

Basics

mimikatz comes in two flavors: x64 or Win32, depending on your windows version (32 or 64 bits).
Win32 flavor cannot access 64 bits process memory (like lsass), but can open 32 bits minidump under Windows 64 bits.
Some operations need administrator privileges, or SYSTEM token, so be aware of UAC from Vista version.

After launching mimikatz:

  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                    with  14 modules * * */


mimikatz #

... you have the command prompt mimikatz #, you can type instructions like exit, cls, crypto::certificates

Instructions can be in the form: modulename::commandname arguments..., eg:

  • kerberos::tgt
  • crypto::certificates /systemstore:local_machine /store:my /export
  • cls

see Module section below for others.
commands from standard module can be typed without modulename; cls is the same as standard::cls (see module ~ standard)

You can quit mimikatz with exit command.
For remote execution, see howto ~ remote execution

Command line

You can pass instructions on mimikatz command line, those with arguments/spaces must be quoted.

C:\security\mimikatz\x64>mimikatz log version "crypto::certificates /systemstore:local_machine" exit

  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                    with  14 modules * * */


mimikatz(commandline) # log
Using 'mimikatz.log' for logfile : OK

mimikatz(commandline) # version

mimikatz 2.0 alpha (arch x64)
NT     -  Windows NT 6.1 build 7601 (arch x64)

mimikatz(commandline) # crypto::certificates /systemstore:local_machine
 * System Store  : 'local_machine' (0x00020000)
 * Store         : 'My'

 0. example.nirvana.local
        Key Container  : example.nirvana.local
        Provider       : Microsoft Software Key Storage Provider
        Type           : CNG Key (0xffffffff)
        Exportable key : NO
        Key size       : 2048

mimikatz(commandline) # exit
Bye!

Instructions from command line are marked with (commandline) on the prompt.

Modules

About me

I'm a kiwi.

History

mimikatz is now 2.0, but is born in 2007, it was known by other names:

  • kdll ; a simple DLL injector
  • kdllpipe ; first version to accomplish Pass-The-Hash, with interaction on a named pipe
  • katz ;
  • mimikatz !

I started to code it for some reasons:

  • improve my knowledge, especially in C/C++ for Windows ;
  • explain security concepts ;
  • prove to Microsoft that sometimes they must change old habits.

External resources

Some amazing alternative versions of mimikatz, w00tw00t! 😊

Some ressources inspired by my work

Clone this wiki locally