If we have managed to get system privileges from a machine that we have compromise then the next step that most penetration testers perform is to obtain the administrator hash in order to crack it offline.However cracking a hash can be a time-consuming process.This can be avoided with the use of Mimikatz.Mimikatz is a tool that can dump clear text passwords from memory.

So assuming that we have already a meterpreter session running we can upload the executable on the remote target along with the sekurlsa.dll otherwise the tool will not work properly.This is because the sekurlsa can read data from the LSASS process.

Uploading Mimikatz on the remote system

Uploading Mimikatz on the remote system

 

Next step is to get a shell and to go the path where we have upload Mimikatz.

Locating the Mimikatz

Locating the Mimikatz

 

Mimikatz on C: Directory

Mimikatz on C: Directory

 

Now we can execute the Mimikatz from the shell.The privilege::debug command will check to see if Mimikatz is running with system privileges.As we can from the next command everything is OK.

Executing Mimikatz

Executing Mimikatz

 

In order to obtain the credentials we need to execute the following command

sekurlsa::logonPasswords full

Obtaining the credentials

Obtaining the credentials

 

If we check carefully the output we will see the password of the system in clear text format along with the username and domain.

Obtaining the credentials

Obtaining the credentials 2

 

Conclusion

Mimikatz is a great tool for obtaining clear text passwords in cases that we have escalate our privileges on the system.In modern Windows systems where UAC is in place we will need to bypass it with the use of the metasploit post exploitation module bypassuac (post/windows/escalate/bypassuac) in order to execute Mimikatz.