Grabbing Passwords from Memory using Procdump and Mimikatz

When I was working on my Pulling Remote Word Documents from RAM using Kali Linux article, I was curious if you could use the same technique to pull the system passwords, and you can…

With the help of Mimikatz!

I tried grabbing the lsass.exe process with procdump, just like I did in the previous article, but when I ran strings I didn’t see any passwords. Well, silly me, you wouldn’t! But as the Zena Forensics blog explains, just take the lsass.exe procdump and run Mimikatz on it!

(Sorry Gentilkiwi, you would think I would know better!  🙂 )

Okay, so once we have the procdump of the lsass.exe process saved as lsassdump.dmp like so:

lsass prodump

All we need to do is run the resultant .dmp file through Mimikatz:

  • Run Mimikatz
  • Type, “sekurlsa::Minidump lsassdump.dmp
  • Lastly type, “sekurlsa::logonPasswords

And that is it! Mimikatz works it’s magic on the dmp file and within a second or so we see this:

passwords

Passwords! Wow, this is a really secure Windows 7 system I see…

So if we can get a memory dump of the lsass.exe process (you need to have an administrator level account to do so) we can take our time and pop the passwords out of it at any time (and anywhere) with Mimikatz.

For more information, check out my latest book, “Basic Security Testing with Kali Linux, 3rd Edition” which has a complete chapter on using Mimikatz!

 

Advertisements