PrivEsc: Dumping Passwords in Plaintext – Mimikatz

A tool exists for dumping plaintext passwords out of memory on Windows, it requires Local Administrator level privileges but it’s a great tool for privilege escalation from Local Admin to Domain Admin. There are Windows EXEs available but it’s also been rolled into Meterpreter! It can also inject a hash into memory to effectively perform a local pass-the-hash attack! If you want to run it on a remote machine remember to check out this post on running remote commands on Windows machines.

Running from Meterpreter

The benefit of running from Meterpreter is not only are you in a familiar environment, but if you’ve got a Meterpreter shell up you don’t need to mess around getting remote commands working. So you’re sitting at a shell prompt and you want to run one a Mimikatz command, it’s as simple as:

meterpreter > use mimikatz
meterpreter > mimikatz_command -f {Command here}

So what commands are available? The following all work regardless of whether they are ran directly in the mimikatz.exe file or through a Meterpreter shell with the Mimikatz extension loaded.

Dumping Passwords

Pulling available passwords is a simple task:


You’ll get a lot of output, especially on a busy machine but scroll down and with a little luck you’ll get some plaintext passwords!

Passing the Hash

It’s well known that Mimikatz can be used for dumping passwords but a less well known feature is the ability to “pass-the-hash”. If you can’t crack the hash of a local administrator account you can instead just inject the hash into memory to gain the privileges:

sekurlsa::pth /user:Administrator /domain:{domain name} /ntlm:{ntlm hash here} /run:cmd

and that’ll drop you in a command line with the privileges of the compromised account!

Read More