In this post I would like to talk about a technique that I read this summer and had not been able to practice until recently in a penetration test.
The technique involves obtaining passwords in clear text from a server without running “malicious” code in it. In this way we avoid having to deal with antivirus evasion techniques and other headaches.
- Mimikatz: http://blog.gentilkiwi.com/securite/mimikatz/minidump
- Procdump: http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
To know what Mimikatz does I recommend @mmorenog’s post that describes its purpose and operation. In summary, Mimikatz “attacks” the lsass process and takes advantage of a type of reversible encryption that Windows implements to obtain plaintext passwords.
On the other hand, Procdump is a tool developed by Mark Russinovich that will allow us to dump the memory space of a process to a file.