A tool exists for dumping plaintext passwords out of memory on Windows, it requires Local Administrator level privileges but it’s a great tool for privilege escalation from Local Admin to Domain Admin. There are Windows EXEs available but it’s also been rolled into Meterpreter! It can also inject a hash into memory to effectively perform a local pass-the-hash attack! If you want to run it on a remote machine remember to check out this post on running remote commands on Windows machines.
Running from Meterpreter
The benefit of running from Meterpreter is not only are you in a familiar environment, but if you’ve got a Meterpreter shell up you don’t need to mess around getting remote commands working. So you’re sitting at a shell prompt and you want to run one a Mimikatz command, it’s as simple as:
meterpreter > use mimikatz meterpreter > mimikatz_command -f {Command here}
So what commands are available? The following all work regardless of whether they are ran directly in the mimikatz.exe file or through a Meterpreter shell with the Mimikatz extension loaded.
Dumping Passwords
Pulling available passwords is a simple task:
privilege::debug sekurlsa::logonpasswords
You’ll get a lot of output, especially on a busy machine but scroll down and with a little luck you’ll get some plaintext passwords!
Passing the Hash
It’s well known that Mimikatz can be used for dumping passwords but a less well known feature is the ability to “pass-the-hash”. If you can’t crack the hash of a local administrator account you can instead just inject the hash into memory to gain the privileges:
sekurlsa::pth /user:Administrator /domain:{domain name} /ntlm:{ntlm hash here} /run:cmd
and that’ll drop you in a command line with the privileges of the compromised account!