# Mimikatz

This is a tool which is used to view and steal credentials. It can also generate kerberos tickets and leverage attacks.

It dumps credentials stored in memory.

I started mimikatz on DC. However we can do this from any computer

<div align="left"><figure><img src="https://1900160215-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8BnwqwOpw0p82p0cMp%2Fuploads%2FGLepzXSpmhSco09COTtH%2Fimage.png?alt=media&#x26;token=980b04df-845e-46ed-bf49-ea35e8274d43" alt=""><figcaption></figcaption></figure></div>

I then used a command to find the users and their hashes which are logged-on to the DC. These get stored in the memory until the machine is rebooted: `sekurlsa::logonpasswords`

There is a section in the output called “wdigest”. In windows 7 and before, this option was turned on by default.. This showed the password in cleartext. We can use these password hashes (NTLM) to perform a passthehash attack.

We can even dump the credentials using: `lsadump::lsa /patch`

<div align="left"><figure><img src="https://1900160215-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8BnwqwOpw0p82p0cMp%2Fuploads%2F7oHVzjPsVVI3lZuIsSF3%2Fimage.png?alt=media&#x26;token=8acf7caf-48b5-47cd-8985-402db673b81d" alt=""><figcaption></figcaption></figure></div>