Completely In-memory Mimikatz with Metasploit

Sunday, October 07, 2012

Rob Fuller


Executing WCE.exe in memory as demoed by Egypt here:

It has two issues with it. 1, you leave a file on disk with your hashes and clear text passwords. That just won't do. 2.

There is this DLL called WCEAUX.dll that gets written for the briefest second to disk:

Screen Shot 2012 09 05 at 10 48 57 PM

(yes I realize I'm running this on disk 'wce32.exe', but it exhibits the same DLL drop when doing in-memory)

Now, don't get me wrong, I love WCE, and Hernan Ochoa does an amazing job with it, but when it comes down to it, it's the best tool for the job. And today, that's now Mimikatz. 

Just like WCE to execute it in memory you use the -m flag for execute:

execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'

For mimikatz to automatically send commands require double quotes in the command line arguments, so we use single quotes in meterpreter to encircle the execute arguments (-a). Running first "sekurlsa::logonPasswords full" then 'exit' to auto-exit mimikatz console. Like so:

Screen Shot 2012 09 05 at 10 57 45 PM

And all you get forensically is calc.exe loading a ton of DLLs it has no business loading but no new files touch disk ;-)

Screen Shot 2012 09 05 at 11 07 35 PM

The downloads for Mimikatz are were they always are:

Oh, did I mention that Mimikatz is open source and the in-memory goodness has been uploaded to svn:

Awesome work @gentilkiwi

If you want to check out the the fix that was implemented to work with Meterpreter's in-memory goodness check here:

Cross-posted from Room362

Possibly Related Articles:
Information Security
Hacking Penetration Testing Metasploit Mimikatz
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.