Mimikatz is a Windows utility for pulling system passwords from memory dumps or hibernation files. Access to an administrator account is required to use the application.
The main purpose
This tool exploits a security vulnerability present in all modern Windows OS. It allows user to extract password from RAM and decrypt to get password.
The operating system stores all sensitive data in a protected hash form. Even special decryption tools cannot guess the password by brute force the system. However, some Windows services such as Authentication Security Checker and LSASS require the user's original password in clear text format.
Intercept keywords
There are executable files for 32 and 64 bit operating systems. The user is asked to start the application with administrator privileges. The next step is to perform the following command sequence: privilege::debug and securlsa::logonPasswords full. A list of all active users and their passwords will be displayed in the console window.
PowerShell is needed to pull the keys from the memory dump. You can start a terminal and type Get-Process lsass | Out-Minidump. The DMP file will be created in the system folder. It is possible to send it to another machine and execute the command securlsa::minidump with the dump file name as an argument. After that you can type the sequence::logonPasswords and access the decrypted key.
Features
~ free to download and use;
~ allows you to intercept system passwords;
~ able to extract keywords from memory dumps;
~ a list of all active users and passwords can be displayed;
~ compatible with all modern versions of Windows.
