Mimikatz is a Windows utility for pulling out system passwords from the memory dump or hibernation file. Access to the administrator account is necessary to use the app.

Main purpose

This tool utilizes security vulnerability inherent in any modern Windows OS. It allows users to extract the keyphrase from the RAM and decrypt it to get the password.

Your operating system stores all sensitive data in the form of protected hashes. Even highly specialized decryption tools cannot guess the keyphrase by brute forcing the system. However, some Windows services like authentication security checks and LSASS require the original user password in a plain text format.

Intercepting keyphrase

There are executable files for both 32 and 64-bit operating systems. Users are instructed to start the application with administrative privileges. The next step is to sequentially execute the following commands: privilege::debug and sekurlsa::logonPasswords full. The list of all active users and their passwords will be displayed in the console window.

PowerShell is required to extract the key from a memory dump. You can start the terminal and type Get-Process lsass | Out-Minidump. The DMP file will be created in the system folder. It is possible to transfer it to another computer and execute the sekurlsa::minidump command with the dump file name as an argument. Following that you are able to type sekurlsa::logonPasswords and access the decrypted keys.

Features

free to download and use;
allows you to intercept system passwords;
it is possible to extract the keyphrase from the memory dump;
the list of all active users and passwords can be displayed;
compatible with all modern versions of Windows.