If we have managed to get system privileges from a machine that we have compromise then the next step that most penetration testers perform is to obtain the administrator hash in order to crack it offline.However cracking a hash can be a time-consuming process.This can be avoided with the use of Mimikatz.Mimikatz is a tool that can dump clear text passwords from memory.

So assuming that we have already a meterpreter session running we can upload the executable on the remote target along with the sekurlsa.dll otherwise the tool will not work properly.This is because the sekurlsa can read data from the LSASS process.

 

Next step is to get a shell and to go the path where we have upload Mimikatz.

 

 

Now we can execute the Mimikatz from the shell.The privilege::debug command will check to see if Mimikatz is running with system privileges.As we can from the next command everything is OK.

 

In order to obtain the credentials we need to execute the following command

sekurlsa::logonPasswords full

 

If we check carefully the output we will see the password of the system in clear text format along with the username and domain.

 

Conclusion

Mimikatz is a great tool for obtaining clear text passwords in cases that we have escalate our privileges on the system.In modern Windows systems where UAC is in place we will need to bypass it with the use of the metasploit post exploitation module bypassuac (post/windows/escalate/bypassuac) in order to execute Mimikatz.