WCE and Mimikatz in memory over meterpreter

While hashes are great and passing the hash is an effective attack method it never hurts to have plain text passwords. Companies tend to reuse passwords on various systems or use the same password style across their network.

Currently the two primary tools for doing this are WCE and Mimikatz both methods will be shown over an existing meterpeter session.

First up WCE the old way dropping a binary


Uploading wce.exe over a meterpreter session

Dropping to shell and executing WCE

Dropping to shell and executing wce

As you can see this involves dropping a binary to the target machine.

This process was  automated with a post exploitation script which uploads and executes wce.  It can be found http://pastebin.com/kQ41wLM7 and was written by @jabjorkhaug

Time to take a look at the execute command


-m looks like a fun option

Running in memory will give you a better chance of anti virus avoidance.

Lets try WCE again without dropping the binary


Launching WCE in memory from meterpreter

execute -H -i -c -m -d calc.exe -f /root/wce.exe -a  -w

Next up Mimikatz


Launching Mimikatz in memory from meterpreter

execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a  ‘”sekurlsa::logonPasswords full” exit’

While both of these are executed in memory WCE writes a DLL to disk when its running.  Mubix has a detailed blog post on Mimikatz in memory this gives Mimikatz  a great advantage over WCE since it never touches disk.

More information on in memory execuction can be found here – Eternal Sunshine of the Spotless RAM

Mimikatz – http://blog.gentilkiwi.com/mimikatz

Mimikatz english version – https://github.com/thomhastings/mimikatz-en

Windows Credential Editor(WCE) – http://www.ampliasecurity.com/research.html

Metasploit – http://www.metasploit.com/download/

Tagged with: ,
Posted in InfoSec
One comment on “WCE and Mimikatz in memory over meterpreter
  1. Hernan says:


    I just wanted to point out that WCE does not always need to dump a DLL, It dumps the DLL when the “read from memory”/”safe mode” method fails. If it fails, you can use getlsasrvaddr.exe to make it work. You can also force “safe mode” using the -f switch, useful if you DO NOT want WCE to dump the DLL. Of course, if “safe mode” does not work, you’ll get nothing if you use the -f switch, but the DLL will not be dumped automatically.

    Thanks! Hernan.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: