WDigest is a DLL first added in Windows XP that is used to authenticate users against HTTP Digest authentication and Simple Authentication Security Layer (SASL) exchanges. Both of these require the user’s plain-text password in order to derive the key to authenticate—thus why it is stored in plain-text. Mimikatz is a slick tool that pulls plain-text passwords out of WDigest (explained below) interfaced through LSASS.
I’ve seen many blog posts about this tool and will refer you to them to read more technical details about the way this tool works. Basically, here you will have a little code to download the source and the binaries. Also, notice that in order to run this remotly you might want to bypass the UAC on the remote machine using post/windows/escalate/bypassuac and only then upload the files.
You can get the script using the line below then just chmod it and it will get the tool + it’s source.
wget http://hackingdefined.org/tools/getMK.sh
Source for the getMK.sh
#!/bin/bash clear echo -e "\e[00;34m[|]\e[00m Building directories." cd ~/Desktop mkdir mimikatz cd mimikatz mkdir Binaries cd Binaries echo -e "\e[00;34m[|]\e[00m Getting binaries." wget --quiet http://hackingdefined.org/tools/mimbin.zip 2> /dev/null unzip mimbin.zip 2> /dev/null cd .. echo -e "\e[00;32m[+]\e[00m Got binaries." mkdir source cd source echo -e "\e[00;34m[|]\e[00m Getting source code." wget --quiet http://hackingdefined.org/tools/mimsrc.zip 2> /dev/null unzip mimsrc.zip 2> /dev/null echo -e "\e[00;32m[+]\e[00m Got source code." echo -e "\e[00;32m[+]\e[00m All done and ready at " `echo ~/Desktop/mimikatz` echo -e ""
You can read more about this at:
- The original site.
- PenTest lab – more practicle guide on using meterpreter to upload and execute the tool
- More detailed information about the way the tool actually works.