Grabbing Passwords from Memory using Procdump and Mimikatz

CYBER ARMS - Computer Security

When I was working on my Pulling Remote Word Documents from RAM using Kali Linux article, I was curious if you could use the same technique to pull the system passwords, and you can…

With the help of Mimikatz!

I tried grabbing the lsass.exe process with procdump, just like I did in the previous article, but when I ran strings I didn’t see any passwords. Well, silly me, you wouldn’t! But as the Zena Forensics blog explains, just take the lsass.exe procdump and run Mimikatz on it!

(Sorry Gentilkiwi, you would think I would know better!  🙂 )

Okay, so once we have the procdump of the lsass.exe process saved as lsassdump.dmp like so:

lsass prodump

All we need to do is run the resultant .dmp file through Mimikatz:

  • Run Mimikatz
  • Type, “sekurlsa::Minidump lsassdump.dmp
  • Lastly type, “sekurlsa::logonPasswords

And that is it! Mimikatz works it’s magic on the dmp…

View original post 64 more words

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s