Ready to Start Your Career?

Tutorial: Extracting Passwords

Parichay Rai's profile image

By: Parichay Rai

February 22, 2017

password-extractionI want to share one of the ways of extracting the password from a machine even when there is an antivirus agent installed on it.A pentester aims to compromise the domain and become the domain admin. Often I have observed that compromising a domain host is easy. This can be achieved by exploiting a vulnerability in the host using a vulnerability scanner such as Nessus or Nmap NSE scripts. Once a host in the domain is compromised we should extract all the information possible from it. One of the crucial things to extract is the passwords stored in it. When we talk about dumping passwords, the first thing that comes to a pen testers mind is Mimikatz, a great tool developed by Benjamin Delpy.Unfortunately, Mimi Katz is easily detected by any antivirus and is deleted the moment it is transferred to the compromised machine. What comes to our rescue is another tool called as Procdump. This tool is developed by Microsoft so there is no chance that the anti-virus installed on the host will ever delete it. Procdump is a command line utility which monitors application spikes and can also serve as a general process dump utility that you can embed in other scripts. You can download it from the website and can transfer it to the compromised host with ease.Using the Procdump utility you can easily dump the lsass process, this can be done using the following command:

C:UsersparichayDownloadsProcdump>procdump.exe -ma -64 lsass.exe pass.dmp (-64 is for 64 bit OS)

This dump can be used to extract clear text passwords using our beloved MimiKatz. The command to extract the clear text password from the dump is:The command to extract the clear text password from the dump is:

mimikatz # sekurlsa::minidump pass.dmp

mimikatz # sekurlsa::logonPasswords full

One thing that you should know before using MimiKatz on the extracted dump is the Windows NT compatibility. Make sure that the version of windows from which you extract the password and the windows machine that you will use to extract the passwords should be the same version. Please refer to this Wikipedia source for more: refer to this Wikipedia source for more:
Schedule Demo