1
00:00:00,560 --> 00:00:05,540
In this lecture, we are going to see how we can extract passwords from RAM with Medicare's tool.

2
00:00:07,910 --> 00:00:13,430
You can use this attack if you have a physical access to a system which is password log for security

3
00:00:13,430 --> 00:00:18,300
policies, they can extract the password hashes from RAM and then drag the video.

4
00:00:19,840 --> 00:00:24,430
This board is also using post exploitation phase to accept hashes from RAM.

5
00:00:27,190 --> 00:00:33,430
Maybe it is a credential dumper capable of obtaining plaintext, windows account logins and passwords,

6
00:00:33,730 --> 00:00:39,040
along with many other features that make it useful for testing the security of networks.

7
00:00:40,100 --> 00:00:44,990
It has been dubbed as one of the most powerful Windows password stealers by Wired.com.

8
00:00:48,620 --> 00:00:51,560
It can be used to retrieve account hashes from active ram.

9
00:00:52,050 --> 00:00:58,180
First go to task manager and right click on Local System Authority process and select to create dump

10
00:00:58,220 --> 00:01:01,310
file which will be stored in temporary folder.

11
00:01:06,780 --> 00:01:09,240
No download Medicare and extracted.

12
00:01:12,290 --> 00:01:15,830
We run these commands in sequence to extract hashes from the dump.

13
00:01:21,370 --> 00:01:26,950
It will show hashes of all logged in accounts which are also stored in hashed or text file.

14
00:01:30,440 --> 00:01:30,620
No.

15
00:01:30,620 --> 00:01:32,780
Let's see how we can crack these hashes.

16
00:01:34,640 --> 00:01:37,490
You can use John or care to create the password.

17
00:01:38,210 --> 00:01:43,160
Copy your text file to your copy machine and use this command to crack the password.

18
00:01:44,250 --> 00:01:45,570
Was the password is correct.

19
00:01:45,600 --> 00:01:47,250
It will be displayed on screen.

20
00:01:51,130 --> 00:01:51,220
No.

21
00:01:51,280 --> 00:01:52,870
Let's see the toll in action.

22
00:01:55,390 --> 00:01:58,930
First of all, go to GitHub official website for cats.

23
00:02:00,730 --> 00:02:01,780
Download the tool.

24
00:02:05,780 --> 00:02:06,620
Once downloaded.

25
00:02:06,620 --> 00:02:07,490
Extracted.

26
00:02:11,410 --> 00:02:14,530
You will have both 32 bit and 64 bit versions available.

27
00:02:17,650 --> 00:02:18,940
Open command prompt.

28
00:02:22,380 --> 00:02:24,360
Navigate to mimic our directory.

29
00:02:30,020 --> 00:02:30,680
The tool.

30
00:02:34,340 --> 00:02:37,340
No elevate its privileges with privilege command.

31
00:02:44,490 --> 00:02:46,290
No, We need to know from memory.

32
00:02:46,800 --> 00:02:48,300
So, open task manager.

33
00:02:53,990 --> 00:02:56,510
School, the local studio, 34 says.

34
00:03:03,130 --> 00:03:05,590
Right click on it and create a file.

35
00:03:11,290 --> 00:03:14,080
That will be created and stored in temporary folder.

36
00:03:26,850 --> 00:03:27,840
Save the reserves.

37
00:03:27,840 --> 00:03:29,010
Use low command.

38
00:03:34,370 --> 00:03:36,890
And then open the dump with mini dump.

39
00:03:38,960 --> 00:03:42,470
And then use the command log on passwords to see all hashes.

40
00:03:49,060 --> 00:03:49,950
The closet.

41
00:03:50,190 --> 00:03:52,950
You can also see the results in hashCode text file.

42
00:03:53,810 --> 00:03:58,940
Remove all excessive data from the file and leave only username with hash.

43
00:04:10,970 --> 00:04:12,380
No copy over this file.

44
00:04:12,560 --> 00:04:13,640
Your copy machine.

45
00:04:15,740 --> 00:04:22,220
Open the terminal and use John to crack the password with default dictionary.

46
00:04:25,650 --> 00:04:28,530
And once the password is clear, it will be displayed on screen.