When I was working on my Pulling Remote Word Documents from RAM using Kali Linux article, I was curious if you could use the same technique to pull the system passwords, and you can…
With the help of Mimikatz!
I tried grabbing the lsass.exe process with procdump, just like I did in the previous article, but when I ran strings I didn’t see any passwords. Well, silly me, you wouldn’t! But as the Zena Forensics blog explains, just take the lsass.exe procdump and run Mimikatz on it!
(Sorry Gentilkiwi, you would think I would know better! 🙂 )
Okay, so once we have the procdump of the lsass.exe process saved as lsassdump.dmp like so:
All we need to do is run the resultant .dmp file through Mimikatz:
- Run Mimikatz
- Type, “sekurlsa::Minidump lsassdump.dmp“
- Lastly type, “sekurlsa::logonPasswords“
And that is it! Mimikatz works it’s magic on the dmp…
View original post 64 more words