Win10 Enterprise 64-bit local
richrumble opened this issue · comments
I've run 4 times, the first two failed
+++++++++++++++++++++++++++++++++++++++++
[White-Rabbit.ps1] version [0.4] started at 01/26/2016 06:10:24
--- Script terminating ---
Script ended at 01/26/2016 06:10:42
+++++++++++++++++++++++++++++++++++++++++
The 3rd and 4th times do make the lsass.dmp file, and the results are:
[White-Rabbit.ps1] version [0.4] started at 01/26/2016 06:11:24
Login : rrumble
Password :
Login : rrumble
Password :
Login : PC007$
Password :
Login :
Password :
Login : PC007$
Password :
Login : PC007$
Password :
Login : ????????????????????????????????
Password :
Script ended at 01/26/2016 06:11:49
+++++++++++++++++++++++++++++++++++++++++
Another error when I run it against the generated lsass.dmps...
\ /\ Follow the white Rabbit :-)
( ) pabraeken@gmail.com
.( @ ).
RWMC runs with user DOMAIN\rrumble with administrator rights on PC007 computer
Do you want use Active Directory cmdlets ?
- Yes
- No
- Exit
Enter menu number and press : 2
Local computer, Remote computer or from a dump file ?
- Local
- Remote
- lsass process .dmp
- VM snapshot .dmp
- Exit
Enter menu number and press : 3
Enter the path of your lsass process dump: C:\Intel\PowerMemory-master\20160126062143
Mode (3 (Windows 2003), 1 (Win 7 and 2008r2), 132 (Win 7 32 bits), 2 (Win 8 and 2012), 2r2 (Win 10 and 2012r2), 232 (Win 10 32 bits) 8.1 (Win 8.1) or 2016 (Windows Server 2016))?: 2r2
Try to reveal password for Windows 10 or 2012r2
Do you want to exfiltrate the data (pastebin) ?
- Yes
- No
- Exit
Enter menu number and press : 2
Do you want to clear event log on this local computer ?
- Yes
- No
- Exit
Enter menu number and press : 2
(see screenshot: http://snag.gy/aeE9A.jpg)
Did you reboot the pc after the first execution ?
I have now. Curiously it works (after reboot) for local, but does not work on the previous lsass.dmp files when using option 3 (lsass process .dmp)
Ok.
Normally it display a message that says one registry key was modified and the computer needs to reboot. Weird.
For your second problem, did you try "2016" option ?
I've tried them all :) 2r2 is the only one that almost has sane output. I can share a dump if you need.
Can you make a new dump and try again with option 2r2 ?
I think you create the first dump without reboot the computer.
Same result:
[White-Rabbit.ps1] version [0.4] started at 01/26/2016 08:16:04
Login : Windows
Password :
Script ended at 01/26/2016 08:16:21
I should be able to use any minidump of Lsass correct? TaskManager->(right-click lsass.exe)->create dump
or procdump -ma lsass.exe lsass.dmp The point of your tool I thought was use PS only and get dump's from other machines to the machine running your PS. I have not tried on other OS's yet but I will soon, the minidumps will be generated like I do above.
Yes, you can retrieve credentials from any dump from this tool.
If you TaskManager->(right-click lsass.exe), you have to be sure to set correct registrey key on concerned OS.
Do you have documentation on this registry key? Using ProcDump or the TaskMgr method I don't have to do anything for Mimikatz to get the data out of the minidumps. I love the idea of your PS, I want to understand why I'd need a registry key change on a remote machine for this to work, but mimikatz can take these minidumps as is.
I made a presentation of this at HackFest Quebec.
You can find it here :
https://github.com/giMini/PowerMemory/blob/master/PREZ/HackFest2015.pptx
On Wed, Jan 27, 2016 at 9:30 AM, Rich Rumble notifications@github.com
wrote:
Do you have documentation on this registry key? Using ProcDump or the
TaskMgr method I don't have to do anything for Mimikatz to get the data out
of the minidumps. I love the idea of your PS, I want to understand why I'd
need a registry key change on a remote machine for this to work, but
mimikatz can take these minidumps as is.—
Reply to this email directly or view it on GitHub
#1 (comment).