To extract hashes from the local password dump (the “system” and “security” dump files): # / \ # /*** Benjamin DELPY `gentilkiwi` ( ) Now you should be able to find the executable “mimikatz.exe” file.#.
Once the above dumping is complete, we need to extract the hashes. It’s just a matter of getting as much as we can to work with.Īt this point we have the cached passwords from “lsass.exe” and the file “security”, “sam” and “system” dump files. These two files go together and have nothing to do with the “lsass.exe” memory dump we did earlier. The result of the above two commands is two files we can interrogate for password hashes. This is just additional hashes we can harvest. This isn’t related to lsass.exe memory dump. Now we can dump the local password database. We no longer need the SysInternals (S: Drive) so remove it: It can also hang the target machine so be careful when doing it over an RDP session. This process can (but shouldn’t) take a long time to complete. Dump the “lsass.exe” process memory to file: S:\procdump -accepteula -ma lsass.exe C:\Users\MyUser\lsass.dmp We can map to this as follows: net use S: Our first step is to get SysInternals tools available to us. Get the password databases Dump the lsass.exe memory
