gentilkiwi / mimikatz

A little tool to play with Windows security

http://blog.gentilkiwi.com/mimikatz

19.5k stars 3.74k forks source link

volatility/rekall -> mimikatz #224

Closed s0i37 closed 5 years ago

s0i37 commented 5 years ago

Good day. I am looking for an approach to using mimikatz with physical dumps. I know that mimikatz supports minidump formats. But when I try convert physical memory to virtual:

volatility -f pmem.dmp raw2dmp -O pmem.mdmp
sekurlsa::Minidump pmem.mdmp
sekurlsa::logonPasswords

I had an access violation error. May you please tell me how can I switch to address space of lsass.exe into pmem.mdmp?

Beercow commented 5 years ago

After using raw2dmp, load the image into windbg. You can load mimikatz (mimilib.dll) into windbg and use it from there. http://blog.digital-forensics.it/2014/03/mimikatz-offline-addendum_28.html

s0i37 commented 5 years ago

Great. Thank you! But whats about extracting kerberos tickets? Is it posible to extract them from memory dump?

s0i37 commented 5 years ago

gentilkiwi / mimikatz

volatility/rekall -> mimikatz #224

232