Some ways to dump LSASS.exe

Some ways to dump LSASS.exe

As always this is for educational purposes. I like to find multiple ways to do the same thing. It helps me learn and writing about it help me learn too. This is a list of several ways to dump LSASS.exe (Local Security Authority Subsystem Service).

Before I begin, when I?m running Windows 10 or Windows Server 2016 (or higher) and Credential Guard is configured and running, dumping LSASS won?t be super useful for NTLM Hashes. This is what it looks like if Credential Guard is running and I try to get NTLM hash. No good for dumping ?

Image for post

However, If I?m running older windows OS?s or Credential Guard is not configured and running, I may be able to pull the NTLM hashes (or even passwords). Someone recently tweeted this script to check if Credential Guard is configured and running (Thank you twitter peeps!)

$DevGuard = Get-CimInstance ?ClassName Win32_DeviceGuard ?Namespace rootMicrosoftWindowsDeviceGuardif ($DevGuard.SecurityServicesConfigured -contains 1) {“Credential Guard configured”}if ($DevGuard.SecurityServicesRunning -contains 1) {“Credential Guard running”}

I can see Credential Guard isn?t configured or running on my lab machine.

Image for post

Let?s start Dumping LSASS.EXE.

The first way is to use task manager (running as admin). Click on lsass.exe and select ?Create Dump File?

Image for post

A popup will let me know where it gets dumped with the path to the dmp file.

Image for post

Sysinternals is great for dumping too. (https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) or http://live.sysinternals.com if I just want specific files.

First run a command as admin and run ?psexec -i -s cmd?. This will launch a command prompt with system rights. *** I found that if I run without SYSTEM Rights the file doesn?t get created (because of Defender) but If I run as with SYSTEM rights, windows defender lets it write to disk ***

Image for post

Next run ?procdump -ma lsass.exe lsass.dmp?

Image for post

Here is what defender says

Image for post

The dmp file is still produced though.

Image for post

Next is Sharp dump ? compile the source and run it from an admin command prompt ? I cover how to compile it in a previous post here: https://medium.com/@markmotig/research-and-organization-on-the-go-and-refinement-when-time-permits-3d25763d3586

Here is the directory with the compiled exe

Image for post

Here is the output file. As it suggests, rename the file to .GZ and you can unzip it and use it on your attacking machine to extract the NTLM hashes for cracking.

Image for post

Next is Mini-Dump from @mattifestation (https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1).

Import the module –> ?Import-Module .OutMiniDump.ps1?Then run the command –> ?Get-Process lsass | Out-Minidump?Image for post

Another way someone shared recently is Dumpert. Dumpert may be able to bypass AV (https://github.com/outflanknl/Dumpert) Here is a quote from the GitHub Repo

?This tool demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, while not touching disk and evading AV/EDR monitored user-mode API calls.?

After compiling it, the repository suggests two ways to run it. First the EXE

Image for post

The second way is to run it using the dll. I copied all of the files from the DLL output build into a folder and run this command in the folder that contains all of the DLL output files.

rundll32 Outflank-Dumpert-DLL.dll,DumpImage for post

Also, I saw this technique recently as well from @kondencuotas but I wasn?t able to get it to work. I?m sure I?m doing something wrong. It may be worth a look as well.

Dumping LSASS without Mimikatz == Reduced Chances of Getting Flagged by AVs

Evasion, Credential Dumping

ired.team

Now a quick write up of how to get the hashes out with mimikatz. I copy a few dump files to my mimikatz directory (I have AV turned off while I run mimikatz) Here are the commands I?m running and I can see the hashes in the image.

Mimikatz ?sekurlsa::minidump DUMPFILENAME??sekurlsa::LogonPasswords?Image for post

I?ll copy the NTLM hash and put it in a file for cracking on my Kali box

Here is a sample of some hashes I?m going to crack

Image for post

Next I run Hashcat with the NTLM selected for cracking.

Image for post

When it finishes it will provide some feedback. I put the passwords in my rockyou.txt password dictionary file so this works and here is the output of the cracked.txt with the passwords to the right of the hashes.

Image for post

I hope you learned at least one new way of dumping LSASS. Feel free to follow me on Twitter _@markmo_ (yes with the underscores). Cheers!

2

No Responses

Write a response