Grabbing Passwords from Memory using Procdump and Mimikatz
When I was working on my Pulling Remote Word Documents from RAM using Kali Linux article, I was curious if you could use the same technique to pull the system passwords, and you can…
With the help of Mimikatz!
I tried grabbing the lsass.exe process with procdump, just like I did in the previous article, but when I ran strings I didn’t see any passwords. Well, silly me, you wouldn’t! But as the Zena Forensics blog explains, just take the lsass.exe procdump and run Mimikatz on it!
(Sorry Gentilkiwi, you would think I would know better! 🙂 )
Okay, so once we have the procdump of the lsass.exe process saved as lsassdump.dmp like so:
All we need to do is run the resultant .dmp file through Mimikatz:
- Run Mimikatz
- Type, “sekurlsa::Minidump lsassdump.dmp“
- Lastly type, “sekurlsa::logonPasswords“
And that is it! Mimikatz works it’s magic on the dmp file and within a second or so we see this:
Passwords! Wow, this is a really secure Windows 7 system I see…
So if we can get a memory dump of the lsass.exe process (you need to have an administrator level account to do so) we can take our time and pop the passwords out of it at any time (and anywhere) with Mimikatz.