Showing posts from March, 2014

mimikatz offline addendum

I must admit I did not expect so many acknowledgments by writing the  volatility mimikatz plugin . I want to say thanks to all people that tweeted, emailed - and so on - me: it is just a piece of the puzzle, and the big pieces are those from  volatility  and from  mimikatz . First, I want to say thanks to  Andrew Case , for the support and for having tweeted about the plugin: probably all those  acks  are because Andrew is an uber-well-known DFIR expert! Then I want to say thanks to  Kristinn Gudjonsson , my favorite  plaso  “ harsh ” reviewer, who spotted some “ devil ” (you wrote it! ;) issues in my code, as the multiple inheritance I used… lol, I will fix it! Last but not least I want to once again say thanks to  Benjamin  aka  gentilkiwi , who wrote an e-mail to me making the congratulations for the plugin. With this post, I want to point out some  features of mimikatz  that I had not considered in the first instance. mimikatz can work offline In the previous post

et voilà le mimikatz offline

In one of my recent cases, I needed to recover the windows user password: I had different OSes with various levels of cryptography, mainly at file level. Usually I think it's a good approach to recover as many hints as possible, to derive a scheme and/or to find a way to access the data.  ODI I like to call it ODI ( Offensive Digital Investigations , in Italian "odi" means hear , find out ). I remember an old case where I got 500+ strong encrypted archives... too many without a password catalog. I searched for the weakest protection and I found three zip-crypto (not a strong protection) archives: I cracked them in few days and then I was able to derive the schema to access all of them. I was lucky. This time I felt that the Windows user password was the... key. Usually the dirty work is made with rainbow tables, but no way: I was unable to crack the Windows 7 user password. mimikatz I don't remember exactly why I was playing with mimikatz (hem, c