Closed suntop250ml closed 4 years ago
Hi,
Hello,
Hi,
Do you try the username and password found against the machine with cme for example?
cme smb <machine> -u <username> -p '<weirdPassword>'
I would not be surprised this is indeed a valid password generated by something.
Hello, It is not a valid password, I know this because I know the victim's password, I am testing the tool on a machine that I know the password for.
So it looks like a bug. Thank you for reporting this.
Do you think possible to parse the problematic dump locally to see if this weird thing occurs too with Pypykatz?
pypykatz lsa minidump <yourDump.dmp>
It is complicated for me to investigate more without the problematic dump, so I keep this thread open until I face the same problem as you.
I would be very glad to assist in resolving this bug, but you would have to give me a more elaborate instructions, I am not really a developer, I am just a security enthusiast, you can start with telling me how to create a dump of the machine in order to run the pypykatz tool on it.
On the target machine:
procdump64.exe -accepteula -ma lsass.exe C:\lsass.dmp
On the attacker machine:
pip3 install pypykatz
pypykatz lsa minidump dump.dmp
And try to find your weird password in the output.
So I went and parsed the dump locally using Pypykatz as per the instructions above and searched for the password in the output and found exactly the same long string of letters and numbers that the Spraykatz tool generated.
Just to make sure I parsed the dump for another 3 machines and got another long string of letters and numbers.
Ok, so it is not a Spraykatz problem as Spraykatz only prints what Pypykatz has parsed. But to understand this behavior, you can download Mimikatz on your Windows machine.
"Run as administrator" a command prompt and run mimikatz. When in the mimikatz command shell, type:
sekurlsa::minidump dump.dmp
sekurlsa::logonpasswords
Hello The script is returning a hash where password is expected (see screenshot below), why is this ?