Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

minidump lsa seems to just lock up pypykatz #101

Closed
ghost opened this issue Apr 25, 2022 · 3 comments
Closed

minidump lsa seems to just lock up pypykatz #101

ghost opened this issue Apr 25, 2022 · 3 comments

Comments

@ghost
Copy link

ghost commented Apr 25, 2022
edited by ghost
Loading

When I run pypykatz lsa minidump <minidump file> (from nanodump (sig restored)) pypykatz seems to not return output from what i can tell it just locks up console with no output. Its been 3 days ive let the app run on this minidump file and it returns no output doesnt appear to crash. Any thoughts?

Thus far i have tried upgrade from old pypykatz to new version. github install, pip3 install, and all install methods on fresh ubuntu machine.
@physics-sec
Copy link

I have seem similar behavior lately,
you could try to use an older version of pypykatz and see if there is any difference and also, try to dump lsass with process hacker or some tool that let's windows create the dump, to make sure this is not an issue with nanodump

@skelsec
Copy link
Owner

skelsec commented Apr 25, 2022

Thank you for the issue. I added some modifications and new templates to pypykatz in the latest update, however the worst they can do is crash, I've not experienced an infinite-loop behavior before. I've re-tested the code on my test-dump collection and everything is in order so I see the following possibilities:

  • It is in fact a bug introduced in the new version. In this case I'd need a dump file that can reproduce this issue.
  • It is a problem in nanodump (maybe it needs some changes to work with the new pypykatz version?)

I'll keep this issue open and encourage anyone to please please please send an offending dumpfile so I can fix this.

@ghost
Copy link
Author

ghost commented Apr 26, 2022

pypykatz -vvv lsa minidump shows me that its getting hung on lsa_decryptor_nt6.py method find_signature(self) around line 42. i think i never hit the if statement at line 44. I also never hit line 28 print statement. maybe issue is finding lsasrv.dll? idk yet for sure. I do get the expected errors before running restore_signature.sh from nanodump. after running the shell script on it seems to work and i get the hang issue.

Running mimidump --all <dump file> shows the dll in modules list.

After running mimikatz with commands from nanodump repo the error kuhl_m_sekurlsa_acquireLSA ; Memory opening comes back. indicating issues with nanodump dump file.

nanodump commands used was beacon system shell on box nanodump --write C:\Temp\lsass.dmp && nanodump.

@ghost ghost closed this as completed Apr 26, 2022
@ghost ghost mentioned this issue Apr 26, 2022
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@physics-sec @skelsec