physmem2profit icon indicating copy to clipboard operation
physmem2profit copied to clipboard

Published 20 hours ago verified publisher icon WithSecureLabs

[Thought share] Local client in a all-in-one package for a one-shot lsass dump

Open Hackndo opened this issue 3 years ago • 1 comments

Hello there,

First of all, I wanna thank you for this awesome tool . I love the idea, and it works 90% of the time, life saver. Great research.

And because it is awesome, I was thinking about a way to dump lsass locally using this tool. Since the physical memory is exposed as a file over TCP, I guess it wouldn't be that difficult to have a client in C# that would locally connect to the server and dump lsass on the target disk.

This way, there would be a single tool that would

  1. expose RAM on 127.0.0.1:<port>
  2. connect to that local port and dump lsass directly on the host

Do you think it is possible (theoretically) or am I missing something?

I'm not asking you to actually develop this, it's more of a thought sharing process, is it possible, is there something I forgot, what do you think about it,...

Again, thank you!

Hackndo avatar Feb 02 '21 11:02 Hackndo

Thanks for the kind words! What you are proposing sounds technically feasible. However, that would require running Rekall (or some other memory analysis framework) on the target. The goal has been to keep to code running on the target as small and simple as possible and implement most of the logic on the server. This has the benefit that there is less forensic data for figuring out what exactly happened on the target system (especially once Physmem2profit gets more features). Parsing the physical memory without Rekall or similar, on the other hand, might be challenging to implement so that it continues to work across different OS versions. This is the reason why Rekall was chosen - so that there is an entire community who is motivated to ensuring that parsing the physical memory works also on the latest versions of Windows :).

One thing that would be easy to implement is to transfer the minidump from the server to the target system but I have a feeling it does not meet your use case :)? It would also negatively impact OPSEC.

I really like your idea of a thought sharing process around this. Feel free to email or DM me and maybe we can discuss this more on Teams :). I would be interested in understanding your use case in more detail!

timhir avatar Feb 02 '21 14:02 timhir