Closed kildonan5 closed 4 years ago
Regarding dumping creds, I'm guessing there is some way to do it by using procdump on lsass, but its unclear to me what to do with the dump file. I try loading it within mimikatz, but am getting this error when i attempt to load it as a minidump "ERROR kuhl_m_sekurlsa_acquireLSA ; Key import" so I'm guessing thats not how im supposed to read it?
Thanks for the feedback @kildonan5 ! Please keep in mind Sliver is in alpha right now and a few of these are planned features, but we develop this in our spare time so I can't commit to dates :)
Currently there is no distinction between the two, because we actually do spawn a new session each time you run elevate. It's on our roadmap to eventually stop doing this but in the short-term it was just a lot easier to spawn a new session each time.
& 3. These seem like a bugs @rkervella
Yes! We're planning on having more integration with mimikatz and other toolsets like SharpSploit and Bloodhound but we've not had time to write the code yet.
Yes this is a current limitation of our shell binding shenanigans and will take some effort to correct but it's a known issue (if you have ideas on how to fix please let me know!) --we're working on general improvements to the console experience too outside of shell
.
Logs should be generated as outlined here. The GUI is in a separate gui
branch but not currently usable, still in active development, but we're open to contributions.
Thanks for the quick feedback. Re the 3rd item (lsass dump), do you know if its possible to extract creds from lsass using the procdump feature? I tried with mimikatz but it doesnt seem to recognize the dump file (or at least, i couldnt get it to parse it).
@kildonan5 thanks for the feedback, as @moloch-- said, we're aware of most of these issues and there's currently open issues for some of these.
Elevate might go away in a future release. This command started as a PoC to see how convenient it was, but it turns out it's a lot of troubles to maintain: Microsoft silently patches UAC bypasses every now and then, so keeping up to date to every windows update would be a PITA (as @moloch-- said, we mainly maintain this on our spare time). However, once we'll find a way to sideload arbitrary code as modules, we might think bringing that back.
Sounds like a bug to me, could you provide an explicit test case so I can work on it?
You should be able to use the output of procdump
as input to mimikatz. If that fails, there may have been a change in the MiniDump format, that may require a more recent version of mimikatz. I just tested this on Windows 10 build 18362 (as a target) and the latest mimikatz version and it works properly.
As a side note, in the future, if you find an issue that is not referenced on GitHub, could you please create a new issue for each? That helps keep track of things, and also helps to assign issues to either @moloch-- or myself.
Re 3. Windows 10 v1809 build 17763
Re 4. I was able to get a procdump to work. I was migrating to lsass to do the dump, to bypass some endpoint protections. Im guessing that messes up memory such that mimikatz cant get a handle or something of the like.
~Alright, looks like getsystem
is broken. The current way it's working is by enabling SE_DEBUG
(which was available but disabled in the past on Windows 10 for the sliver process), and then inject into a SYSTEM
process (spoolsv.exe
by default).
From what I just observed, it looks like we don't have the SE_DEBUG
priv on the elevated sliver process anymore.
I'll need to run more tests to be sure of that, but that's definitely an issue and I'm looking into it.~
Edit: I just re-read your comment, and the command behaves as expected: you need to be in an elevated context to run getsystem
. Otherwise, you won't have the required privileges to enable the SE_DEBUG
privilege required for the command to work.
When running a sliver binary as an elevated process, the getsystem
command will properly spawn a new session running as NT AUTHORITY\SYSTEM
.
Since this is working as expected, I'm closing this one. Feel free to reopen if there's a bug.
@rkervella Dumb question then. If I need to be in an elevated context to run getsystem, that means if I have a session as an administrator, in a non elevated context, in order to 'getsystem' I need to first run the "elevate" command (which currently doesnt work, and may be going away soon anyways) to then be able to run getsystem? I'm pretty sure when and if i run getsystem in a non elevated context in meterpreter, I get system, so are they doing something differently, or am i making stuff up?
That's basically it: you need to be running in a High Integrity level process for sliver's getsystem
to work. Meterpreter getsystem
command (without args) attempts 3 different things to retrieve a SYSTEM
token:
Sliver's getsystem
implementation differs in that we:
SE_DEBUG
privilege on the current process (if it's present and disabled)SYSTEM
owned process (spoolsv.exe
by default)I wrote it that way because I didn't managed to get the named pipe impersonation to work (due to some edge cases regarding native threads).
In any case, the prerequisites are the same as meterpreter's getsystem
, as illustrated below:
meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:
-h Help Banner.
-t <opt> The technique to use. (Default to '0').
0 : All techniques available
1 : Named Pipe Impersonation (In Memory/Admin)
2 : Named Pipe Impersonation (Dropper/Admin)
3 : Token Duplication (In Memory/Admin)
meterpreter > getsystem -t 1
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
meterpreter > getsystem -t 3
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Token Duplication (In Memory/Admin)
The above session is ran with a user in the local administrator group, but not from a high integrity process (just double clicked on the executable).
TL;DR: you need to be in an elevated context for this to work the way you want it to. I hope this will help make things clearer.
Is your feature request related to a problem? Please describe. Hello, I have a few points after taking sliver for a test run