Everything, Everything

2024: J F M A M J J A S O N D
2023: J F M A M J J A S O N D
2022: J F M A M J J A S O N D
2021: J F M A M J J A S O N D
2020: J F M A M J J A S O N D
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
Grabbing Passwords With Mimikatz on x64
Tuesday 22nd October, 2013 16:32 Comments: 0
This is more of a note to self, but if you've managed to "getsystem" with meterpreter (which generally means you've managed to exploit a system, or you've run something as an Administrator to get around UAC), you might be tempted to run mimikatz to grab the cleartext passwords. This normally works fine... until you get an error message instead of a password. You also probably saw a warning about it running the x86 version on an x64 host. The issue is you're trying to run in a 32-bit process as SYSTEM when you need to be in a 64-bit process as SYSTEM. The easiest way to do that is to migrate to a 64-bit process that's already running as SYSTEM. I chose wlanext.exe (Windows Wireless LAN 802.11 Extensibility Framework), but a server is (hopefully) a lot less likely to have that running. Perhaps spoolsv.exe (Spooler SubSystem App) is a more reliable choice on a server?
© Robert Nicholls 2002-2024
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3