{"id":2443,"date":"2015-02-11T23:34:40","date_gmt":"2015-02-11T22:34:40","guid":{"rendered":"http:\/\/michlstechblog.info\/blog\/?p=2443"},"modified":"2015-02-16T11:54:36","modified_gmt":"2015-02-16T10:54:36","slug":"windows-recover-lost-passwords-from-memory","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/windows-recover-lost-passwords-from-memory\/","title":{"rendered":"Windows: Recover lost passwords from memory"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_2443 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_2443')){$('.twoclick_social_bookmarks_post_2443').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Windows%3A%20Recover%20lost%20passwords%20from%20memory\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Aif%20a%20User%20is%20logged%20on%20and%20forget%20it%27s%20password%20you%20can%20dump%20to%20lsa%20process%20and%20recover%20the%20password%20from%20a%20dump%20file.%0D%0A%0D%0ATwo%20tools%20are%20needed%3A%0D%0A%0D%0A%09Microsoft%27s%20sysinternals%20procdump%0D%0A%09mimikatz.%20A%20tool%20to%20play%20with%20windows%20security.%20Take%20care%20when%20download%20precompiled%20binaries.%20Better%20get%20the%20source%20code%20from%20github%20and%20compile%20it%20yourself.%C2%A0%20Its%20very%20easy%0D%0A%0D%0ALets%20start.%20Login%20as%20a%20User%20w%20...\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/windows-recover-lost-passwords-from-memory\\\/\",\"post_id\":2443,\"post_title_referrer_track\":\"Windows%3A+Recover+lost+passwords+from+memory\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>if a User is logged on and forget it&#8217;s password you can dump to lsa process and recover the password from a dump file.<\/p>\n<p>Two tools are needed:<\/p>\n<ul>\n<li>Microsoft&#8217;s sysinternals <a title=\"Procdump\" href=\"https:\/\/technet.microsoft.com\/en-us\/sysinternals\/dd996900.aspx\" target=\"_blank\">procdump<\/a><\/li>\n<li><a title=\"Mimikatz\" href=\"https:\/\/github.com\/gentilkiwi\/mimikatz\" target=\"_blank\">mimikatz<\/a>. A tool to play with windows security. Take care when download precompiled binaries. Better get the source code from github and compile it yourself.\u00a0 Its very easy<\/li>\n<\/ul>\n<p>Lets start. Login as a User with administrator permissions and dump the lsass process<br \/>\n<!--more--><\/p>\n<p><code><strong>C:\\&gt;procdump.exe -accepteula -ma lsass.exe %TEMP%\\lsass.dmp<\/strong><br \/>\nProcDump v7.1 - Writes process dump files<br \/>\nCopyright (C) 2009-2014 Mark Russinovich<br \/>\nSysinternals - www.sysinternals.com<br \/>\nWith contributions from Andrew Richards[09:53:48] Dump 1 initiated: C:\\Users\\user\\AppData\\Local\\Temp\\lsass.dmp<br \/>\n[09:53:55] Dump 1 writing: Estimated dump file size is 42 MB.<br \/>\n[09:53:55] Dump 1 complete: 42 MB written in 7.5 seconds<br \/>\n[09:53:56] Dump count reached.<\/code><\/p>\n<p>Recover the lost information. Start mimikatz interactive shell<br \/>\n<code><br \/>\nC:\\&gt; mimikatz.exe<\/code><br \/>\nTo Get help type double :: respectively for a module sekurlsa::<br \/>\nOpen dmp file<br \/>\n<code><strong>mimikatz # sekurlsa::minidump C:\\Users\\user\\AppData\\Local\\Temp\\lsass.dmp<\/strong><br \/>\nSwitch to MINIDUMP : 'C:\\Users\\user\\AppData\\Local\\Temp\\lsass.dmp'<\/code><br \/>\nAnd get the lost information<br \/>\n<code><br \/>\n<strong>mimikatz # sekurlsa::logonPasswords<\/strong><br \/>\n<\/code><\/p>\n<p>Mimikatz also supports Windows full- and crashdumps and\u00a0 VMware vmem as input. To <a title=\"Mimikatz offline addendum\" href=\"http:\/\/blog.digital-forensics.it\/2014\/03\/mimikatz-offline-addendum_28.html\" target=\"_blank\">extract <\/a>it from a memory dump or a hibernation file use the mimikatz <a title=\"mimikatz offline plugin for volatility\" href=\"https:\/\/code.google.com\/p\/hotoloti\/\" target=\"_blank\">offline plugin<\/a> for <a title=\"Volatility Foundation\" href=\"http:\/\/www.volatilityfoundation.org\/\" target=\"_blank\">volatility<\/a>.<\/p>\n<p>It&#8217; s also possible to recover the login credentials directly from the lsass process. This is the default.<\/p>\n<p>You have to get debug privileges to do this otherwise a <strong>ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)<\/strong> occurs and also mimikatz.exe must be compiled for the used OS Version (x86 or x64, Error: <strong>ERROR kuhl_m_sekurlsa_acquireLSA ; Modules informations<\/strong>)<br \/>\n<code>mimikatz # privilege::debug<br \/>\nPrivilege '20' OK<br \/>\nmimikatz # sekurlsa::logonPasswords<\/code><\/p>\n<p><strong>CAUTION: Be very carefully be when using this tool, because you can make visible extreme sensitive data!!! Maybe in your work or country this tool is classified as hacker tool!!!<\/strong><\/p>\n<p>Michael<\/p>\n<pre><!-- http:\/\/blog.digital-forensics.it\/2014\/03\/mimikatz-offline-addendum_28.html http:\/\/blog.digital-forensics.it\/2014\/03\/et-voila-le-mimikatz-offline.html https:\/\/github.com\/dfirfpi\/hotoloti http:\/\/www.fuzzysecurity.com\/tutorials\/18.html --><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Hi, if a User is logged on and forget it&#8217;s password you can dump to lsa process and recover the password from a dump file. Two tools are needed: Microsoft&#8217;s sysinternals procdump mimikatz. A tool to play with windows security. Take care when download precompiled binaries. Better get the source code from github and compile &hellip; <a href=\"https:\/\/michlstechblog.info\/blog\/windows-recover-lost-passwords-from-memory\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Windows: Recover lost passwords from memory<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[466,5],"tags":[597,596,92,221,20],"class_list":["post-2443","post","type-post","status-publish","format-standard","hentry","category-security","category-windowsknowhow","tag-lsass","tag-mimikatz","tag-password","tag-recover","tag-windows-2"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/2443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=2443"}],"version-history":[{"count":13,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/2443\/revisions"}],"predecessor-version":[{"id":2462,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/2443\/revisions\/2462"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=2443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=2443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=2443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}