Mimikatz Dump Password: Extracting Credentials in Post-Exploitation

Published April 25, 2026 · 2,533 words

Mimikatz is an open-source post-exploitation tool primarily used by pentesters, red teamers, and security researchers to extract sensitive information, particularly cleartext passwords, NTLM hashes, and Kerberos tickets from Windows memory, specifically the Local Security Authority Subsystem Service (LSASS) process. When you need to dump passwords from a compromised Windows machine, Mimikatz is often your first and most effective go-to, providing critical credentials for lateral movement, privilege escalation, and domain compromise.

From my years in the field, Mimikatz isn't just a tool; it's a statement about the inherent vulnerabilities in Windows authentication mechanisms. Understanding how to use Mimikatz effectively and, more importantly, how to defend against it, is crucial for anyone serious about penetration testing or enterprise security.

Understanding Mimikatz and Its Core Capabilities

Developed by Benjamin Delpy (gentilkiwi) in 2011, Mimikatz started as a proof-of-concept to show how easy it was to extract authentication information from memory. It quickly evolved into an indispensable utility for ethical hackers and malicious actors alike. Its power stems from its ability to interact directly with the LSASS process, which manages local security policy, user authentication, and stores credentials in various forms.

LSASS holds active logon sessions, meaning it often contains unencrypted passwords, NTLM password hashes, and Kerberos tickets in memory. Mimikatz exploits this by injecting into the LSASS process, reading its memory, and parsing out these valuable credentials. This isn't a vulnerability in Mimikatz itself; it's a demonstration of how Windows manages authentication and how those mechanisms can be abused.

Key Modules for Mimikatz Dump Password Operations

Mimikatz is modular, with several commands designed for specific tasks. For dumping credentials, you'll primarily use these modules:

privilege: Essential for granting Mimikatz the necessary permissions to interact with sensitive processes like LSASS.
sekurlsa: The main module for interacting with the LSASS process to extract credentials. This is where the magic happens for password dumping.
lsadump: Used for extracting LSA secrets, which can contain service account passwords or other sensitive configuration data.
kerberos: For manipulating and extracting Kerberos tickets, which are vital for authenticated access within an Active Directory environment.

Key Takeaway: Mimikatz doesn't "hack" Windows in the traditional sense; it reads information Windows *intentionally* stores in memory for legitimate authentication purposes. Your job as a pentester is to find a way to make Windows reveal these secrets.

Setting Up and Deploying Mimikatz on a Compromised System

Before you can begin to dump passwords with Mimikatz, you first need to get it onto your target system and execute it with sufficient privileges. This step often presents the biggest challenge due to endpoint detection and response (EDR) solutions and antivirus (AV) software.

Obtaining and Bypassing Security Controls

You can get Mimikatz in a few ways:

Pre-compiled Binaries: The easiest way is to download a pre-compiled version from the official GitHub releases page. However, these are almost universally detected by AV/EDR.
Compile from Source: Compiling Mimikatz yourself from the source code can sometimes bypass basic AV signatures, especially if you modify the code slightly (e.g., change variable names). You'll need Visual Studio for this.
In-Memory Execution: This is often the preferred method for red teamers. Tools like Metasploit's load mimikatz or Cobalt Strike's execute-assembly can inject Mimikatz directly into memory without dropping a file to disk, significantly reducing the chances of AV detection. This is where Metasploit Post Exploitation skills become invaluable.
Obfuscation and Custom Loaders: For advanced engagements, you might use packers, crypters, or custom C/C++ loaders to obfuscate the Mimikatz binary or reflective DLL injection to load it into an existing process.

Remember, Mimikatz needs to run with SYSTEM privileges to access LSASS memory. Achieving this usually means you've already exploited a vulnerability to gain administrative access or performed a local privilege escalation.

Methods of Mimikatz Execution

Once you have a method to bypass security controls, you'll need to execute Mimikatz. Common methods include:

Direct Upload and Execution: If AV/EDR isn't an issue, simply upload mimikatz.exe and run it from a command prompt with admin privileges.
Using Metasploit's kiwi Module: In a Meterpreter session, you can load the kiwi module (Metasploit's built-in Mimikatz integration) using load kiwi. This provides many Mimikatz functionalities directly from Meterpreter.
PowerShell Empire/Sliver/Cobalt Strike: These C2 frameworks offer modules to execute Mimikatz in-memory, providing a stealthier approach.
PsExec: You can use PsExec to execute Mimikatz remotely on a target system with SYSTEM privileges, assuming you have administrative credentials for that system.

Mastering the Mimikatz Dump Password Process

Let's walk through the practical steps to dump passwords using Mimikatz. For this example, we'll assume you've already obtained administrative access on a Windows machine and managed to execute Mimikatz.

Step-by-Step: Extracting Credentials with `sekurlsa::logonpasswords`

The primary command you'll use to dump passwords is sekurlsa::logonpasswords. Here's how it generally goes:

Start Mimikatz:
```
mimikatz.exe
```
This opens the Mimikatz prompt: mimikatz #
Gain Debug Privileges: Mimikatz needs SeDebugPrivilege to access the LSASS process.
```
mimikatz # privilege::debug
```
You should see Privilege '20' OK or similar output indicating success.
Dump Passwords and Hashes: This is the command to get the goods.
```
mimikatz # sekurlsa::logonpasswords
```
Mimikatz will then enumerate all active logon sessions and display any cleartext passwords, NTLM hashes, and Kerberos tickets it finds in memory. The output can be extensive.

The output will list various logon sessions, including interactive users, service accounts, and network logons. For each session, you'll look for:

msv: This section often contains the NTLM hash (NTLM:) and sometimes the cleartext password (Password:) if it's cached or was recently used.
kerberos: This section will show Kerberos tickets and, sometimes, cleartext passwords or NTLM hashes if available.

Understanding Mimikatz Output for Dumped Credentials

The output from sekurlsa::logonpasswords is rich. You'll see several sections per logon session:

Output Field	Description	Significance
`Username`	The user account associated with the logon session.	Identifies who the credentials belong to.
`Domain`	The domain of the user account.	Crucial for understanding trust relationships and targeting.
`Password`	The cleartext password.	The holy grail! Direct access to the account.
`NTLM`	The NTLM hash of the password.	Useful for Pass-the-Hash attacks and offline cracking.
`SHA1`	The SHA1 hash of the password.	Less common for direct attacks, but good for cracking.
`Ticket` (Kerberos)	Kerberos Ticket Granting Tickets (TGTs) or Service Tickets (STs).	Enables Pass-the-Ticket attacks for lateral movement.

From my experience, finding cleartext passwords is less common on modern, well-configured systems, especially those with Credential Guard enabled. However, NTLM hashes and Kerberos tickets are almost always present and are just as valuable for further exploitation.

Extracting LSA Secrets with `lsadump::secrets`

The LSA secrets are encrypted system data that can contain sensitive information like cached domain account credentials, service account passwords, and other system-related secrets. Dumping these can occasionally reveal cleartext passwords for services or scheduled tasks.

mimikatz # lsadump::secrets

This command can sometimes reveal fascinating plaintext data, especially on older systems or those configured with legacy applications.

Working with Kerberos Tickets

Kerberos is the default authentication protocol for Active Directory. Mimikatz can extract Kerberos tickets from memory, which allows for Pass-the-Ticket (PtT) attacks. These tickets grant access to resources without needing the actual password.

List Kerberos Tickets:
```
mimikatz # kerberos::list
```
This shows all Kerberos tickets stored in the current user's session.
Export Kerberos Tickets:
```
mimikatz # kerberos::tgt
```
This command specifically targets Ticket Granting Tickets (TGTs), which are crucial for requesting service tickets for other resources in the domain. You can also use kerberos::pth for Pass-the-Ticket with a specific ticket.

Key Takeaway: Don't just look for cleartext passwords. NTLM hashes and Kerberos tickets are powerful primitives for lateral movement and privilege escalation, especially in Active Directory environments. Learn to use tools like hashcat to crack NTLM hashes offline if they are weak.

Advanced Mimikatz Techniques and Post-Exploitation Scenarios

Mimikatz's capabilities extend far beyond simply dumping credentials. It's a versatile tool for advanced post-exploitation, enabling complex attacks that can lead to domain dominance.

Pass-the-Hash (PtH) and Pass-the-Ticket (PtT)

These techniques allow you to authenticate as a user without knowing their cleartext password, using only their NTLM hash or Kerberos ticket, respectively. This is incredibly useful for lateral movement:

Pass-the-Hash:
```
mimikatz # sekurlsa::pth /user:Administrator /domain:TARGETDOMAIN /ntlm:AAD3B435B51404EEAAD3B435B51404EE
```
This command spawns a new process (e.g., cmd.exe) as the specified user, authenticated with the provided NTLM hash. You can then interact with network resources as that user.
Pass-the-Ticket:
```
mimikatz # kerberos::ptt C:\path\to\ticket.kirbi
```
If you've previously exported a Kerberos ticket, you can inject it into your current session, allowing you to access resources as the ticket's owner.

Golden Ticket and Silver Ticket Attacks

These are advanced Kerberos attacks that Mimikatz facilitates, leading to complete domain compromise:

Golden Ticket: Forge a Kerberos Ticket Granting Ticket (TGT) for any user in the domain, allowing you to impersonate anyone, including domain administrators, for up to 10 years (or the ticket's expiration). This requires the NTLM hash of the KRBTGT account, the special account used by the KDC to encrypt all TGTs.
```
mimikatz # kerberos::golden /user:Administrator /domain:target.local /sid:S-1-5-21-XXX /krbtgt:hash_of_krbtgt /ptt
```
This is the ultimate prize in many red team engagements, as it grants persistent, stealthy access to the entire Active Directory.
Silver Ticket: Forge a Kerberos Service Ticket (ST) for a specific service on a specific server (e.g., CIFS, HTTP). This requires the NTLM hash of the service account or the computer account for the target server.
```
mimikatz # kerberos::golden /user:Administrator /domain:target.local /sid:S-1-5-21-XXX /target:fileserver.target.local /rc4:hash_of_server_account /service:cifs /ptt
```
Silver tickets provide access to specific services on specific machines, useful for targeted attacks or when you don't have the KRBTGT hash.

Dumping Domain Controller Credentials

If you compromise a Domain Controller, Mimikatz becomes incredibly powerful. You can dump all domain hashes directly:

mimikatz # lsadump::dcsync /domain:target.local /user:krbtgt

The dcsync command simulates a Domain Controller replication request, forcing the DC to send password hashes for specified users (or all users) to your compromised machine. This is typically done with domain administrator privileges and is often a red team's final objective.

Defending Against Mimikatz Dump Password Attacks

Understanding how Mimikatz works is the first step to defending against it. While it's incredibly effective, there are robust countermeasures you can put in place to significantly reduce its impact.

Implement LSA Protection (RunAsPPL)

The most direct defense against Mimikatz is enabling Local Security Authority (LSA) Protection, also known as RunAsPPL (Protected Process Light). This feature, introduced in Windows 8.1 and Windows Server 2012 R2, protects the LSASS process from being injected into by unprivileged processes, including Mimikatz.

When LSA Protection is enabled, Mimikatz cannot directly read LSASS memory, effectively crippling its primary function. You can enable it via Group Policy or by setting a registry key:

Registry Key:

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 1 /f

A reboot is required for this setting to take effect.

While not foolproof (advanced techniques can sometimes bypass it), LSA Protection is a critical first line of defense that every organization should enable.

Deploy Credential Guard

Introduced with Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate and protect NTLM password hashes and Kerberos Ticket Granting Tickets (TGTs) from the rest of the operating system. This makes it significantly harder, if not impossible, for Mimikatz to extract these credentials, even with SYSTEM privileges.

Credential Guard works by running the LSASS process within a virtualized, isolated environment that is separate from the main operating system. This prevents Mimikatz from directly accessing the memory space where credentials are stored. It requires specific hardware and software configurations (UEFI, Secure Boot, virtualization features).

For more detailed information on configuring these features, you can refer to Microsoft's official documentation.

Restrict Local Administrator Access

Mimikatz requires administrative privileges (specifically SYSTEM or SeDebugPrivilege) to function. Limiting local administrator accounts and implementing a robust privilege management solution dramatically reduces the attack surface. If an attacker can't get admin rights, they can't run Mimikatz effectively.

Implement Strong Password Policies and Multi-Factor Authentication (MFA)

While Mimikatz can extract cleartext passwords, strong, unique passwords across systems make it harder for attackers to reuse them if they do get dumped. MFA, especially for administrative accounts, provides an additional layer of security that Mimikatz cannot bypass directly. Even if a password or hash is compromised, the attacker still needs the second factor.

Endpoint Detection and Response (EDR) and Antivirus (AV)

Modern EDR solutions are designed to detect suspicious behavior, including attempts to access LSASS memory. While Mimikatz is often weaponized to bypass AV, a well-configured EDR can detect the behavioral patterns of Mimikatz execution, such as process injection, unusual privilege requests, or suspicious memory access. Signature-based AV will usually catch standard Mimikatz binaries, but advanced attackers use obfuscation.

Regular Patching and Security Updates

Keep your Windows systems fully patched. While Mimikatz itself isn't an exploit, the initial access vector often is. Addressing vulnerabilities promptly reduces the chances of an attacker gaining the initial foothold needed to run Mimikatz.

Key Takeaway: Layered security is your best bet. LSA Protection and Credential Guard are the most impactful technical controls. Combine these with strong administrative practices and an effective EDR solution to significantly raise the bar for attackers trying to dump credentials.

Conclusion

Mimikatz remains an indispensable tool in a pentester's arsenal for post-exploitation. Its ability to dump passwords, NTLM hashes, and Kerberos tickets directly from memory provides critical insights and opportunities for lateral movement and privilege escalation within a Windows environment. From basic credential extraction to advanced Golden Ticket attacks, understanding Mimikatz is fundamental for anyone looking to truly master Active Directory exploitation or to prepare for certifications like the OSCP, where such techniques are frequently tested. For those preparing for OSCP Exam Preparation, Mimikatz is a must-know.

However, with great power comes the need for strong defense. Organizations must implement LSA Protection, Credential Guard, strict access controls, and robust EDR solutions to minimize the risk of a successful Mimikatz attack. As pentesters, our role isn't just to exploit but also to educate and help organizations build a more resilient security posture.

Frequently Asked Questions

What is Mimikatz used for in pentesting?

Mimikatz is used in pentesting primarily for post-exploitation to extract authentication credentials like cleartext passwords, NTLM hashes, and Kerberos tickets from the memory of compromised Windows systems. This information is then used for lateral movement, privilege escalation, and domain compromise.

Can Mimikatz dump passwords on Windows 10?

Yes, Mimikatz can dump passwords and hashes on Windows 10, but its effectiveness depends heavily on the security features enabled. If LSA Protection or Credential Guard are active, Mimikatz's ability to extract certain types of credentials (like cleartext passwords or NTLM hashes) will be significantly limited or blocked entirely.

Does antivirus detect Mimikatz?

Most standard antivirus solutions will detect well-known, pre-compiled Mimikatz binaries due to signature-based detection. However, advanced attackers often bypass AV by compiling Mimikatz from source with modifications, using obfuscation techniques, or executing it in-memory via tools like Metasploit or Cobalt Strike.

What are Golden Ticket and Silver Ticket attacks?

Golden Ticket and Silver Ticket attacks are advanced Kerberos attacks facilitated by Mimikatz. A Golden Ticket allows an attacker to forge a Ticket Granting Ticket (TGT) for any user, granting arbitrary access to the entire Active Directory domain. A Silver Ticket allows forging a Service Ticket (ST) for a specific service on a specific server, providing targeted access without full domain compromise.