NanoDump
Dumping LSASS has never been so stealthy
Features
#dump #lsass #syswhispers
Dumping LSASS has never been so stealthy
Features
• It uses syscalls (with SysWhispers2) for most operationshttps://github.com/helpsystems/nanodump
• You can choose to download the dump without touching disk or write it to a file
• The minidump by default has an invalid signature to avoid detection
• It reduces the size of the dump by ignoring irrelevant DLLs. The (nano)dump tends to be arround 10 MB in size
• You don't need to provide the PID of LSASS
• No calls to dbghelp or any other library are made, all the dump logic is implemented in nanodump
• You can use the .exe version to run nanodump outside of Cobalt Strike
#dump #lsass #syswhispers
This media is not supported in your browser
VIEW IN TELEGRAM
DumpNParse
DumpNParse is a tool that will automatically dump LSASS and parse the results.
https://github.com/icyguider/DumpNParse
#lsass #dump #parse
DumpNParse is a tool that will automatically dump LSASS and parse the results.
https://github.com/icyguider/DumpNParse
#lsass #dump #parse
Abusing Leaked Handles to Dump LSASS Memory
# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
# https://github.com/antonioCoco/MalSeclogon
#seclogon #lsass #dump #redteam
# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
# https://github.com/antonioCoco/MalSeclogon
#seclogon #lsass #dump #redteam
Extracting passwords from hiberfil.sys
When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. People often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text.
https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps
#hiberfil #dump #password
When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. People often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text.
https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps
#hiberfil #dump #password
EDRSandBlast
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
#lsass #dump #etw #redteam
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
#lsass #dump #etw #redteam
GitHub
GitHub - wavestone-cdt/EDRSandblast
Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.
Cobalt-Clip
Cobalt-clip is clipboard addons for Cobalt Strike to interact with clipboard. With this you can dump, edit and monitor the content of clipboard.
https://github.com/DallasFR/Cobalt-Clip
#cobaltstrike #clipboard #dump
Cobalt-clip is clipboard addons for Cobalt Strike to interact with clipboard. With this you can dump, edit and monitor the content of clipboard.
https://github.com/DallasFR/Cobalt-Clip
#cobaltstrike #clipboard #dump
This media is not supported in your browser
VIEW IN TELEGRAM
LFIDump
A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.
https://github.com/p0dalirius/LFIDump
#lfi #dump #tools #bugbounty
A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.
https://github.com/p0dalirius/LFIDump
#lfi #dump #tools #bugbounty
❤1
Remotely Dumping Chrome Cookies
The method in this blog post does not require the remote debugger or Keychain (macOS)/DPAPI (Windows) access and applies to Chromium-based browsers in general
https://cedowens.medium.com/remotely-dumping-chrome-cookies-revisited-b25343257209
#chrome #cookie #dump #blog
The method in this blog post does not require the remote debugger or Keychain (macOS)/DPAPI (Windows) access and applies to Chromium-based browsers in general
https://cedowens.medium.com/remotely-dumping-chrome-cookies-revisited-b25343257209
#chrome #cookie #dump #blog
Medium
Remotely Dumping Chrome Cookies…Revisited
TL;DR Security researcher Ron Masas (twitter: @RonMasas) recently wrote a tool (chrome-bandit) that extracts saved password from…
🔐 Dumping LSASS with AV
Sometimes Antivirus is attackers' best friend. Here is how you can use Avast AV to dump lsass memory
Commands:
There's also Metasploit post exploitation module for this under
You can also download AvDump.exe from this link.
VirusTotal Details:
https://www.virustotal.com/gui/file/52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b/details
#ad #evasion #lsass #dump #avast #redteam
Sometimes Antivirus is attackers' best friend. Here is how you can use Avast AV to dump lsass memory
Commands:
.\AvDump.exe --pid 704 --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file lsass.dmp
To bypass Microsoft Defender, remember to rename the AvDump.exe file. Also, don't use the name lsass.dmp (see screenshot).There's also Metasploit post exploitation module for this under
post/windows/gather/avast_memory_dump
AvDump.exe is located at C:\Program Files\Avast Software\Avast. You can also download AvDump.exe from this link.
VirusTotal Details:
https://www.virustotal.com/gui/file/52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b/details
#ad #evasion #lsass #dump #avast #redteam
🔥4👍1👎1
This media is not supported in your browser
VIEW IN TELEGRAM
🔑 Extracting Credentials from Chrome Memory
An excellent study on how Chrome's memory works and how to extract credentials, cookies, etc. in а low privileges plain text format.
https://www.cyberark.com/resources/threat-research-blog/extracting-clear-text-credentials-directly-from-chromium-s-memory
#chrome #memory #dump #creds
An excellent study on how Chrome's memory works and how to extract credentials, cookies, etc. in а low privileges plain text format.
https://www.cyberark.com/resources/threat-research-blog/extracting-clear-text-credentials-directly-from-chromium-s-memory
#chrome #memory #dump #creds
👍10🔥5
😈 POSTDump
This is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.
🚀 Key Features:
— Usage of indirect syscall along with halo's gate technic to retrieve syscalls IDs
— No memory Allocation/Protection call is performed for indirect syscall, instead, free RWX codecave found in the current process are used
— ETW patching
— No call to MiniDumpWriteDump
🌐 Source:
https://github.com/YOLOP0wn/POSTDump
#windows #lsass #dump #syscall #reactos
This is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.
🚀 Key Features:
— Usage of indirect syscall along with halo's gate technic to retrieve syscalls IDs
— No memory Allocation/Protection call is performed for indirect syscall, instead, free RWX codecave found in the current process are used
— ETW patching
— No call to MiniDumpWriteDump
🌐 Source:
https://github.com/YOLOP0wn/POSTDump
#windows #lsass #dump #syscall #reactos
🔥7👍2
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Ой, красота))) Получить данные из LSA без дампа LSASS.
Tool: https://github.com/EvanMcBroom/lsa-whisperer
Blog: https://posts.specterops.io/lsa-whisperer-20874277ea3b
#redteam #pentest #creds #dump
Tool: https://github.com/EvanMcBroom/lsa-whisperer
Blog: https://posts.specterops.io/lsa-whisperer-20874277ea3b
#redteam #pentest #creds #dump
GitHub
GitHub - EvanMcBroom/lsa-whisperer: Tools for interacting with authentication packages using their individual message protocols
Tools for interacting with authentication packages using their individual message protocols - EvanMcBroom/lsa-whisperer
👍14🔥2
🔑 Dumping LSA: a story about task decorrelation
Discover the art of bypassing EDRs by decorrelating attack tool behavior. This post explains the process of remote LSA secrets dumping and reveals techniques to retrieve a Windows computer's BOOTKEY without EDR detection.
🔗 Source:
https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
#lsa #sam #dump #edr #bypass
Discover the art of bypassing EDRs by decorrelating attack tool behavior. This post explains the process of remote LSA secrets dumping and reveals techniques to retrieve a Windows computer's BOOTKEY without EDR detection.
🔗 Source:
https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
#lsa #sam #dump #edr #bypass
👍12❤2
🔑 PanGPA Extractor
Tool to extract username and password of current user from PanGPA in plaintext under Windows. Palo Alto Networks GlobalProtect client queries the GlobalProtect Service for your username and password everytime you log on or refresh the connection.
🔗 Research:
https://shells.systems/extracting-plaintext-credentials-from-palo-alto-global-protect/
🔗 Source:
https://github.com/t3hbb/PanGP_Extractor
#paloalto #globalprotect #credentials #dump
Tool to extract username and password of current user from PanGPA in plaintext under Windows. Palo Alto Networks GlobalProtect client queries the GlobalProtect Service for your username and password everytime you log on or refresh the connection.
🔗 Research:
https://shells.systems/extracting-plaintext-credentials-from-palo-alto-global-protect/
🔗 Source:
https://github.com/t3hbb/PanGP_Extractor
#paloalto #globalprotect #credentials #dump
🔥6👍4❤🔥3🤔1