0

I'm working on dumping plaintext passwords from a compromised machine (it's my computer, research, blah blah blah)

Anyways, I'm getting a weird error when running the metasploit module in a meterpreter session. I can retrieve the usernames of previously logged in users, but for every password I just get this error:

mod_process::getVeryBasicModulesListForProcess : (0x0000012b) Only part of a ReadProcessMemory or WriteProcessMemory request was completed. n.a. (msv1_0 KO)

Any ideas? I'm running as the SYSTEM user.

UPDATE:

After looking into this further, I tried dumping passwords with mimikatz by injecting mimikatz itself into memory with a neat little feature of metasploit. So for some reason, I can use mimikatz itself via memory injection through a meterpreter shell and successfully dump the passwords, but the built-in mimikatz module is still throwing partial read errors.

Verbal Kint
  • 737
  • 1
  • 6
  • 20
  • I found an interesting article on this here: https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ The author claims that Windows has been patched since 8.1 to prevent against plaintext password extraction. Seems promising and I'll definitely look into it, but my target is Windows 7, so perhaps the patch was more broad than the article states. – Verbal Kint Sep 19 '16 at 21:09
  • This is an internal software error - you need to ask this on the Rapid7 metasploit forums or support. – schroeder Sep 19 '16 at 21:14
  • @schroeder, although it is a metasploit error, it seems like it has more to do with how windows handles credentials than anything else. As the article I pointed to suggests, it looks like Microsoft patched or changed some aspect of their login to avoid attacks. I've used mimikatz to dump passwords in plaintext in the past without a problem. Thus the question deals more with the way that the login process has changed post-Windows 7 to prevent this kind of attack. Granted, maybe the question should be reworded to address this more specifically – Verbal Kint Sep 20 '16 at 12:05
  • Google presented this when I searched for your mimikatz error: http://blog.gentilkiwi.com/category/securite/mimikatz/page/3 – schroeder Sep 20 '16 at 17:28

1 Answers1

1

Was running into this exact issue, and for me it was related to the process and architecture I was injecting into (using x32 instead of x64). After migrating to an x64 process, and then loading mimikatz, I was able to dump credentials as expected.

NemosDemos
  • 26
  • 1