Demonstration of Credential Dumping Attack Using Mimikatz on Windows

23 Jun 2026

credential_dumpingMimikatzWindowsNTLM_hashesSAM_databasecybersecuritypassword_crackingCrackStationlateral_movementregistry_hivescommand_line_toolsantivirus_evasion

The video demonstrates a credential dumping attack on a Windows machine using the tool Mimikatz to extract password hashes from the Security Account Manager (SAM) database. The attacker, operating in a virtual environment with Microsoft Defender disabled, targets local user accounts—including a financial analyst named 'david' and a custom 'jared admin' account—to obtain NTLM hashes. Mimikatz is executed as administrator to dump hashes from the SAM and SYSTEM registry hives, which are then exported to a text file. The hashes are subsequently cracked using an online tool called CrackStation, revealing identical passwords for both accounts. The attack highlights lateral movement potential, where an attacker could use compromised credentials to access higher-value systems like servers. The process involves obfuscating Mimikatz to evade antivirus detection in real-world scenarios, though the demonstration simplifies this by disabling security measures. Key files extracted include sam_backup.hiv and system_backup.hiv, and the attack leverages command-line tools like reg save for registry access.