by If we have managed to get system privileges from a machine that we have compromise then the next step that most penetration testers perform is to obtain the administrator hash in order to crack it offline.However cracking a hash can be a time-consuming process.This can be avoided with the use of Mimikatz.Mimikatz is a tool that can dump clear text passwords from memory.
So assuming that we have already a meterpreter session running we can upload the executable on the remote target along with the sekurlsa.dll otherwise the tool will not work properly.This is because the sekurlsa can read data from the LSASS process.
Next step is to get a shell and to go the path where we have upload Mimikatz.
Now we can execute the Mimikatz from the shell.The privilege::debug command will check to see if Mimikatz is running with system privileges.As we can from the next command everything is OK.
In order to obtain the credentials we need to execute the following command
sekurlsa::logonPasswords full
If we check carefully the output we will see the password of the system in clear text format along with the username and domain.
Conclusion
Mimikatz is a great tool for obtaining clear text passwords in cases that we have escalate our privileges on the system.In modern Windows systems where UAC is in place we will need to bypass it with the use of the metasploit post exploitation module bypassuac (post/windows/escalate/bypassuac) in order to execute Mimikatz.
Penetration Testing Lab 
In your case, you can avoid sekurlsa.dll 😉
wow, thats a very nice tutorial, step by step you just cant go wrong with this tut.. thanks for sharing.
Just a note, but AV is going to flag those files you uploaded. Maybe better to try and avoid touching disk :
execute -H -i -c -m -d calc.exe -f mimikatz.exe -a ‘”sekurlsa::logonPasswords full” exit’
See :http://www.room362.com/blog/2012/9/6/completely-in-memory-mimikatz-with-metasploit.html
Very nice tutorial.
hey there, I have tried this on domain remote server, with clear text enabled from the registry. sadly this not show for any other users passwords only shows the user I am logged on. so this is the worthless command if you ask because I know the password to get into that machine sho what is the point of revealing the password which I know already.