Lightweight debugger-mimikatz

Http://hi.baidu.com/hackercasper/blog/item/b080dbd05eb6a5cc562c8461.html

 

Yesterday, a friend sent an artifact written by a French guy called mimikatz. Let's take a look.

Artifacts:

Http://blog.gentilkiwi.com/mimikatz

There is also an article that uses this artifact to directly obtain Windows Active account plaintext password from lsass.exe

Http://pentestmonkey.net/blog/mimikatz-tool-to-recover-cleartext-passwords-from-lsass

I tried to test it with win2008 R2 x64.

Wdigest is my plaintext password.

I have also tested that the password complexity is more than 14 characters.

Password that contains uppercase/lowercase letters and special characters

You can also capture the plaintext password.

Wce.exe or
Lslsass.exe usually only captures the LM hash and NTLM hash of the active account at most from the memory.

However, after the plaintext password is captured

From this we can infer that not only lm hash and
NTLM hash

There should still be some Encryption Algorithm for your plaintext Password
(Note: the encryption algorithm is not the hash algorithm. The reversible hash algorithm is irreversible)

In this way, the encryption algorithm is reversible and can be decrypted to the plaintext.

Therefore,
Sekurlsa. dll should contain the corresponding decryption algorithm

If you have a good background in reverse engineering, you can try reverse analysis.

 

Then, the functionality of this artifact is certainly more like a lightweight Debugger in my opinion.

It can improve the process permission and inject the process to read the process memory.

The following is an example of reading the memory of a mine clearance game.

We can also use the pause command to suspend the process. At this time, the game time will be static.

In short, this artifact is quite gorgeous and has more capabilities to be tapped into by hackers =... = ~