Still, the attacker needs administrative privileges on the target windows machine to access the memory and registry keys. And the need for “mimikatz” can be skipped by copying the dumps to an external computer that the attack controls. The attacker might try to use the “net use” to get SysInternals to bypass the policy of no SysInternals being installed on a machine. Good end-point security will prevent access to the “lsass.exe” memory and the execution of “mimikatz”. Prevent SysInternals from being installed on the machine as a matter of policy.
This attack aims to retrieve the various password caches on a Windows machine. You can take the hashes and run them through John (JTR) or submit them to “”. The most interesting output in the above sample is “Password :”. Switch to MINIDUMP : 'C:\Users\MyUser\lsass.dmp' Mimikatz # sekurlsa::minidump C:\Users\MyUser\lsass.dmp Sekurlsa::minidump C:\Users\MyUser\lsass.dmp To extract passwords from the “lsass.exe” memory dump – while still in mimikatz: We can see a few clear text passwords in the above output. Secret : _SOMETHING/ service 'SOMETHING' with username. The output will include something like this:
Lsadump::secrets /system:c:\system.dump /security:c:\security.dump /sam:c:\sam.dump To extract hashes from the local password dump (the “system” and “security” dump files): # / \ # /*** Benjamin DELPY `gentilkiwi` ( ) Now you should be able to find the executable “mimikatz.exe” file.#. Once the above dumping is complete, we need to extract the hashes. It’s just a matter of getting as much as we can to work with.Īt this point we have the cached passwords from “lsass.exe” and the file “security”, “sam” and “system” dump files. These two files go together and have nothing to do with the “lsass.exe” memory dump we did earlier. The result of the above two commands is two files we can interrogate for password hashes. This is just additional hashes we can harvest. This isn’t related to lsass.exe memory dump. Now we can dump the local password database. We no longer need the SysInternals (S: Drive) so remove it: It can also hang the target machine so be careful when doing it over an RDP session. This process can (but shouldn’t) take a long time to complete.
Dump the “lsass.exe” process memory to file: S:\procdump -accepteula -ma lsass.exe C:\Users\MyUser\lsass.dmp We can map to this as follows: net use S:
Our first step is to get SysInternals tools available to us. Get the password databases Dump the lsass.exe memory
0 kommentar(er)
