Recovering Plain Text Passwords with Metasploit and Mimikatz

I haven’t been posting as much recently as I have been hard at work writing a new book on basic security testing with Kali Linux and other open source security tools. The bad thing is it is taking up about all of my free time now. The good thing is that I am going over a lot of exceptional material that I don’t think I have posted here before.

So today I decided to post a sneak peak at what type of material will be in the book.

Mimikatz, created by our friend Gentil Kiwi, is a great password recovery tool. It is able to recovery passwords from several Windows processes in PLAIN TEXT.

Not to long ago a Mimikatz module was added to Metasploit, so recovering clear text passwords once you have a remote meterpreter shell is easier than ever.

So let’s check it out!

Clear Text Passwords with Mimikatz

We will start out with a post exploit scenario. Using Metasploit we already ran a successful exploit and now have an active remote meterpreter session.

Luckily our target user was using an administrator account and we used the Bypass UAC module to bump our access up to System level. (Explained in the book)

Now we just need to load in the mimikatz module. There is a 32 and 64 bit module, choose accordingly. For this demo we will be using the 32 bit.

Mimikatz 1

  1. At the Meterpreter prompt, type “load mimikatz”.
  2. We will now have a mimikatz prompt. Type “help” for a list of available commands:

Mimikatz 2

The help is pretty self-explanatory; basically type the corresponding command to the creds that you want to recover. So for Kerberos just type “kerberos” at the Meterpreter prompt. Or type “msv” to recover the hashes.

Using these commands you can recover user passwords from multiple system sources – Windows Login passwords, MS Live passwords, terminal server passwords, etc.

You can also use the “mimikatz_command” command to perform even more functions like retrieving stored certificates.

But for today we are just interested in passwords.

Recovering Hashes and Plain Text Passwords

  1. Type “msv”.

Mimikatz 3

And there you go – a list of the password hashes. Well, we could grab the hash and try to crack it, or run it through an online rainbow table, but what if we don’t have that kind of time?

It would be nice just to get the password in plain text.

Well… You can.

  1. Type “Kerberos”.

Mimikatz 4

If you look at our user Ralf, you will see his password in plain text!

And that is it, after we get a remote session with Metasploit and using Mimikatz, recovering clear text passwords is just a few commands away.

(As always do not try these techniques on networks that you do not own or do not have permission to do so. Doing so could get you into serious trouble and you could end up in jail.)



One thought on “Recovering Plain Text Passwords with Metasploit and Mimikatz”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: