Can't get secrets from evil lsass twin dumps

RePRGM / Nimperiments

Various one-off pentesting projects written in Nim. Updates happen on a whim.

142 stars 15 forks source link

Can't get secrets from evil lsass twin dumps #2

Open yellephen opened 8 months ago

yellephen commented 8 months ago

Dumped the lsass of a windows server 2016 which had ppl enabled. The dump was created successfully and transferred to the EvilTwinServer. However, neither mimikatz or pypykatz could extract the secrets from the .dmp file. Both threw errors. Alot of python errors for pypykatz and mimikatz gave "ERROR kuhl_m_sekurlsa_acquireLSA ; Modules informations"

RePRGM commented 8 months ago

Mind providing a bit more information?

Which AV/EDR is running?
Is Credential Guard enabled?
Mimikatz version
Size of dump file
SMB or Raw socket exfil? (You mentioned EvilTwinServer so I assume raw sockets but asking just in case)

My initial guess is that the dump file was corrupted during transport. If it is less than roughly 40 or 50MB, this is probably the case. Also, check the file signature. If it doesn't say microsoft minidump or something similar, this is another indication the file is corrupted.

yellephen commented 8 months ago

Which AV/EDR is running? Defender. It's an older version with these signatures installed 1.317.1731.0
Is Credential Guard enabled? No
Mimikatz version 2.2.0
Size of dump file 46024KB
SMB or Raw socket exfil? (You mentioned EvilTwinServer so I assume raw sockets but asking just in case) I attempted it with the Raw socket exfil. SMB was not functional on the lab I was testing on. I added an exfil function to save the file locally and downloaded with meterpreter, same result as with Raw socket exfil.

yellephen commented 8 months ago

pypykatz does pull out some information from the file so parts of the file must be ok.

INFO:pypykatz:Parsing file eviltwin.bin INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE ===== INFO:pypykatz:pypyKatz version: 0.6.9 INFO:pypykatz:CPU arch: X64 INFO:pypykatz:OS: Windows Server 2016 Technical Preview INFO:pypykatz:BuildNumber: 17763 INFO:pypykatz:MajorVersion: 6 INFO:pypykatz:MSV timestamp: 0 INFO:pypykatz:===== BASIC INFO END ===== ERROR:pypykatz:Error while parsing file eviltwin.bin

RePRGM commented 8 months ago

Having trouble reproducing the issue, although I've come to the conclusion Mimikatz and Pypykatz are simply having trouble with the ModuleList Stream. Whether that be due to not being able to find the Stream in the first place or due to not finding lsasrv.dll or some other module within it, I do not know.

Not sure what your function to save locally looks like, but you can keep the temporary dump file on-disk by commenting out (or outright removing) this block (lines 254 to 259) in EvilLsassTwin.nim:

status = NtSetInformationFile(outFile, addr IoStatusBlock, addr fileDI, cast[ULONG](sizeof(fileDI)), 13) 

if NT_SUCCESS(status) == false:
    echo "[-] NtSetInformationFile Failed! Error: ", toHex($status)
    quit(1)

if twin.txt is still unable to be parsed, something very strange is occurring.