Mimikatz — Windows Credential Security Research Tool

Introduction

Mimikatz is a security research tool created by Benjamin Delpy that demonstrates weaknesses in Windows credential storage and authentication protocols. It is an essential tool in authorized penetration testing engagements for validating whether credential protection controls are properly configured.

What Mimikatz Does

• Extracts plaintext passwords, hashes, and Kerberos tickets from Windows memory
• Demonstrates pass-the-hash and pass-the-ticket attack techniques for security assessments
• Tests Windows Credential Guard and LSA protection effectiveness
• Interacts with Active Directory certificate services for golden ticket research
• Validates whether security hardening measures like RunAsPPL are correctly deployed

Architecture Overview

Mimikatz is written in C and directly interfaces with Windows LSASS process memory and Security Support Provider Interface (SSPI). It uses undocumented Windows internals to read credential material from the Local Security Authority Subsystem. The modular design separates functionality into modules such as sekurlsa, kerberos, lsadump, and crypto.

Self-Hosting & Configuration

• Runs as a standalone portable executable on Windows systems
• Requires administrator privileges and SeDebugPrivilege for most operations
• No installation or configuration files needed
• Can be compiled from source using Visual Studio with the Windows SDK
• Often deployed within authorized pentest environments or isolated labs

Key Features

• Kerberos ticket extraction, forging, and pass-the-ticket capabilities
• DCSync attack simulation for testing domain controller replication security
• Smart card and certificate manipulation for PKI security assessments
• Built-in RPC and network-based remote execution for distributed testing
• Skeleton key module for testing domain-wide authentication bypass defenses

Comparison with Similar Tools

• Rubeus — .NET Kerberos toolset; more focused on Kerberos abuse but less comprehensive overall
• Impacket — Python library for network protocol interaction; complements Mimikatz for remote attacks
• SharpHound/BloodHound — maps AD attack paths but does not extract credentials directly
• LaZagne — cross-platform credential recovery; less depth on Windows-specific mechanisms
• Hashcat — focuses on offline hash cracking rather than live credential extraction

FAQ

Q: Is Mimikatz legal to use? A: It is a legitimate security research tool. Use it only in authorized penetration testing engagements, CTF competitions, or controlled lab environments.

Q: How do defenders detect Mimikatz? A: Enable Credential Guard, configure LSA protection (RunAsPPL), monitor LSASS access with Sysmon, and deploy endpoint detection rules for known Mimikatz signatures.

Q: Does Mimikatz work on modern Windows? A: Recent Windows versions with Credential Guard and virtualization-based security significantly limit its effectiveness, which is precisely what pentesters validate.

Q: Can it run on Linux? A: Mimikatz is Windows-only. However, Impacket provides similar network-based credential testing from Linux systems.

Sources

• https://github.com/gentilkiwi/mimikatz
• https://blog.gentilkiwi.com/mimikatz