Nimperiments icon indicating copy to clipboard operation
Nimperiments copied to clipboard
verified publisher icon RePRGM

Can't get secrets from evil lsass twin dumps

Open sufnlower opened this issue 2 years ago • 4 comments

Dumped the lsass of a windows server 2016 which had ppl enabled. The dump was created successfully and transferred to the EvilTwinServer. However, neither mimikatz or pypykatz could extract the secrets from the .dmp file. Both threw errors. Alot of python errors for pypykatz and mimikatz gave "ERROR kuhl_m_sekurlsa_acquireLSA ; Modules informations"

sufnlower avatar Nov 06 '23 22:11 sufnlower

Mind providing a bit more information?

  • Which AV/EDR is running?
  • Is Credential Guard enabled?
  • Mimikatz version
  • Size of dump file
  • SMB or Raw socket exfil? (You mentioned EvilTwinServer so I assume raw sockets but asking just in case)

My initial guess is that the dump file was corrupted during transport. If it is less than roughly 40 or 50MB, this is probably the case. Also, check the file signature. If it doesn't say microsoft minidump or something similar, this is another indication the file is corrupted.

RePRGM avatar Nov 07 '23 04:11 RePRGM

  • Which AV/EDR is running? Defender. It's an older version with these signatures installed 1.317.1731.0
  • Is Credential Guard enabled? No
  • Mimikatz version 2.2.0
  • Size of dump file 46024KB
  • SMB or Raw socket exfil? (You mentioned EvilTwinServer so I assume raw sockets but asking just in case) I attempted it with the Raw socket exfil. SMB was not functional on the lab I was testing on. I added an exfil function to save the file locally and downloaded with meterpreter, same result as with Raw socket exfil.

sufnlower avatar Nov 07 '23 20:11 sufnlower

pypykatz does pull out some information from the file so parts of the file must be ok.

INFO:pypykatz:Parsing file eviltwin.bin INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE ===== INFO:pypykatz:pypyKatz version: 0.6.9 INFO:pypykatz:CPU arch: X64 INFO:pypykatz:OS: Windows Server 2016 Technical Preview INFO:pypykatz:BuildNumber: 17763 INFO:pypykatz:MajorVersion: 6 INFO:pypykatz:MSV timestamp: 0 INFO:pypykatz:===== BASIC INFO END ===== ERROR:pypykatz:Error while parsing file eviltwin.bin

sufnlower avatar Nov 07 '23 20:11 sufnlower

Having trouble reproducing the issue, although I've come to the conclusion Mimikatz and Pypykatz are simply having trouble with the ModuleList Stream. Whether that be due to not being able to find the Stream in the first place or due to not finding lsasrv.dll or some other module within it, I do not know.

Not sure what your function to save locally looks like, but you can keep the temporary dump file on-disk by commenting out (or outright removing) this block (lines 254 to 259) in EvilLsassTwin.nim:

status = NtSetInformationFile(outFile, addr IoStatusBlock, addr fileDI, cast[ULONG](sizeof(fileDI)), 13) 

if NT_SUCCESS(status) == false:
    echo "[-] NtSetInformationFile Failed! Error: ", toHex($status)
    quit(1)

if twin.txt is still unable to be parsed, something very strange is occurring.

RePRGM avatar Nov 08 '23 15:11 RePRGM