skelsec
commented
3 years ago Hello, thank you for reaching out. I read this article when it came out and while I find it an interesting attack vector I don't really see a reason why this should be implemented in pypykatz. My concerns are as follows:
- I consider this technique as kind of a backdoor (as you'd need to get users to re-authenticate in order to get the secrets) which is not really in-line with pypykatz project main goal of dumping/parsing lsass
- I don't see a reason to implement this attack in python, pypykatz will be able to parse the secrets once the attack is performed via other means. (If it doesn't work out of the box right now then let me know and I can make some changes to the code)
- The PoC code you supplied uses fixed address offsets to read and modify the necessary variables. This is not really good because pypykatz aims to be compatible on as many systems as possible so for each version of
wdigest.dllI'd need to get the offsets. (but if someone has a better approach that makes the offset finding universal pls feel free to let me know) This is a lot of work and I don't see benefits for that.
I'll leave this issue open for discussion for a few weeks or so.
Hello !
there are cases where it is not possible to dump passwords because "Credential Guard" is enabled. Since August 2020, there is a method to "bypass" Credential Guard. (see https://teamhydra.blog/2020/08/25/bypassing-credential-guard/).
It would be useful to be able to dynamically patch lsass via pypykatz. The code allowing the bypass does not seem too complex: https://gist.github.com/N4kedTurtle/8238f64d18932c7184faa2d0af2f1240 Moreover, in the case of RunAsPPL is activated, the operation of this bypass becomes complicated. However, with the addition of
--method handledupit will be possible to bypass RunAsPPL and thus patch lsass.Best regards