Home

mimikatz is a tool I've made to learn C and make somes experiments with Windows security.

It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, ...
maybe make coffee?

Its symbol is a kiwi:

  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                    with  14 modules * * */

sometimes the animal, but mostly the fruit!

How you can get it?

• sources (Visual Studion solution) on GitHub - see howto ~ build-mimikatz
• binaries are availables on http://blog.gentilkiwi.com/mimikatz (zip or 7z)

Basics

Modules

• standard
• privilege
• crypto
• sekurlsa
• kerberos
• lsadump
• vault
• token
• event
• ts
• process
• service
• net
• misc
• library mimilib
• driver mimidrv

About me

History

I started to code mimikatz for some reasons:

• improve my knowledge, especially in C/C++ for Windows ;
• explain security concepts ;
• prove to Microsoft that sometimes they must change old habits.

mimikatz is now 2.0, but is born in 2007, it was known by other names:

• kdll ; a simple DLL injector
• kdllpipe ; first version to accomplish Pass-The-Hash, with interaction on a named pipe
• katz ;
• mimikatz !

External resources

Some amazing alternative versions of mimikatz, w00tw00t! 😊

• Meterpreter extension for mimikatz 1.0 by Ben Campbell (https://twitter.com/Meatballs__ / https://github.com/Meatballs1)

  • https://github.com/rapid7/meterpreter/tree/master/source/extensions/mimikatz
  • https://github.com/rapid7/metasploit-framework/tree/master/lib/rex/post/meterpreter/extensions/mimikatz

• DLL reflection in PowerShell by Joseph Bialek (https://twitter.com/JosephBialek / https://github.com/clymb3r)

  • https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz
  • http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1

• Volatility plugin by Francesco Picasso (https://plus.google.com/+francescopicasso / https://code.google.com/p/hotoloti)

  • http://blog.digital-forensics.it/2014/03/et-voila-le-mimikatz-offline.html
  • http://blog.digital-forensics.it/2014/03/mimikatz-offline-addendum_28.html

• Meterpreter extension for mimikatz 2.0 in progress by Oliver Reeves (https://twitter.com/TheColonial / https://github.com/OJ)

  • https://github.com/rapid7/meterpreter/pull/79
  • https://github.com/rapid7/metasploit-framework/pull/3121

Some ressources inspired by my work

• wce (cleartext passwords part) by Hernan Ochoa @ Amplia security (https://twitter.com/hernano / https://twitter.com/AmpliaSecurity)

  • http://www.ampliasecurity.com/research/wcefaq.html
  • http://seclists.org/fulldisclosure/2013/May/226
  • Details here: http://fr.slideshare.net/gentilkiwi/mimikatz-phdays/29

• sessiondump by Steeve Barbeau @ HSC (https://twitter.com/steevebarbeau / https://github.com/steeve85)

  • http://www.hsc.fr/ressources/outils/sessiondump
  • https://github.com/rapid7/metasploit-framework/pull/1750
  • https://github.com/steeve85/metasploit-framework/tree/sessiondump/external/source/meterpreter/source/extensions/sessiondump
  • Details here: core.c