Dumping Clear Text Credentials With Mimikatz

25 Mar

If we have managed to get system privileges from a machine that we have compromise then the next step that most penetration testers perform is to obtain the administrator hash in order to crack it offline.However cracking a hash can be a time-consuming process.This can be avoided with the use of Mimikatz.Mimikatz is a tool that can dump clear text passwords from memory.

So assuming that we have already a meterpreter session running we can upload the executable on the remote target along with the sekurlsa.dll otherwise the tool will not work properly.This is because the sekurlsa can read data from the LSASS process.

Uploading Mimikatz on the remote system

Uploading Mimikatz on the remote system


Next step is to get a shell and to go the path where we have upload Mimikatz.

Locating the Mimikatz

Locating the Mimikatz


Mimikatz on C: Directory

Mimikatz on C: Directory


Now we can execute the Mimikatz from the shell.The privilege::debug command will check to see if Mimikatz is running with system privileges.As we can from the next command everything is OK.

Executing Mimikatz

Executing Mimikatz


In order to obtain the credentials we need to execute the following command

sekurlsa::logonPasswords full

Obtaining the credentials

Obtaining the credentials


If we check carefully the output we will see the password of the system in clear text format along with the username and domain.

Obtaining the credentials

Obtaining the credentials 2



Mimikatz is a great tool for obtaining clear text passwords in cases that we have escalate our privileges on the system.In modern Windows systems where UAC is in place we will need to bypass it with the use of the metasploit post exploitation module bypassuac (post/windows/escalate/bypassuac) in order to execute Mimikatz.


Posted by on March 25, 2013 in Post Exploitation


Tags: , , ,

5 responses to “Dumping Clear Text Credentials With Mimikatz

  1. gentilkiwi

    March 25, 2013 at 12:47 pm

    In your case, you can avoid sekurlsa.dll😉

  2. Sergio Bascunan

    March 25, 2013 at 7:52 pm

    wow, thats a very nice tutorial, step by step you just cant go wrong with this tut.. thanks for sharing.

  3. _dark_knight_

    March 25, 2013 at 10:54 pm

    Just a note, but AV is going to flag those files you uploaded. Maybe better to try and avoid touching disk :
    execute -H -i -c -m -d calc.exe -f mimikatz.exe -a ‘”sekurlsa::logonPasswords full” exit’

    See :

  4. Super Man

    March 29, 2013 at 2:47 pm

    Very nice tutorial.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: