Daniel Cornett - LSA-Reaper: A Remote LSASS Extraction Tool

all right next up our next talk or our next speaker Daniel cornet he's going be talking on LSA Reaper a remote Elsas extraction tool let's welcome [Applause] Daniel thank you thank you for that so just want to thank everyone for coming out uh without further Ado I think we've got everyone right at time so I'm go ahead and get started my name is Daniel cornette and this is LSA Reaper a remote lsas extraction tool so a little bit about me uh I'm a recent graduate of the University of North Georgia went through their cyber program graduated with a bachelor's of Science in cyber security I've been in the private field for about year and a half working at a really awesome consulting firm bricko security we have a booth right out in the hallway so if you guys want to come see me after this for any questions I'll be there rest of the day uh I do enjoy making tools I pentest a lot of stuff so I try and automate as much of it as I can and I have passed the C and my GC so what is Elsas Elsas is windows' way to make using their operating system easier stands for local security Authority subst service and it runs on every single operating system made by Microsoft it stores your log on credentials such as Cur Bros credentials if you're on a domain msv and W digest so it is a process it runs on Startup and it holds those credentials because if you were to try and access say a file on your system Windows needs to see make sure that you have permission to to open that file and instead of prompting you for your password every time you open open up a folder in a file it will take those credentials that are stored in the elas process and use them instead so some problems that I encountered while making this tool it's pretty comple complex getting memory out of the LSS process is not a super easy feat there's a bunch of ways to do it uh there's manual ways there's built-in ways within windows but it is a pretty complex problem another thing is there's already some tools that do stuff like this such as lassy or mimicat uh these tools have been around a lot longer and they're a lot more wellknown so what can I do with LSA Reaper to make it unique and make it stand out from the competition So within making Reaper unique there's already those tools and I just need to find a way to do something that hasn't already been done so here's a little bit of an overview of it it's Unique in the way that it uses an SMB share as its payload distribution and exfiltration point uh it uses impacket as its main running point and for anyone that hasn't checked out impacket it's a great collection of tools it's really good for internal pen tests if you're going to be doing that and it's fully automated you just give it some arguments and it does everything for you so don't yeah you can see that pretty well uh these are some of the arguments starting off with um you can use it with other forms of impacket uh have it parse all all the files for you you can have it uh automatically validate any credentials that it pulls out that are msv and do a lot of stuff if you're trying to say do a test where you want the client to be able to see in their logs a certain string you can set the share name the payload name it's pretty uh it's pretty user scalable and user configurable it has multiple ways of authentication either through curos uh not giving a password using using an NT or a local account with on a host so you don't have to specify it and this is what my GitHub page has for it so you get LSA Reaper and a few other Little Pon scripts that I have made for it uh mainly SB exec I took that and I modified it in multiple ways first off the first one SB exec modified it will it is a pretty much a clone of SMB exec except I've added in some of the issue fixes that are on their GitHub page that they just haven't done for some reason uh exec multi allows you to run one command against multiple hosts which the normalb exec doesn't have and I couldn't find it anywhere else and SMB exec shelless works in the same way ASB exec multi except it is pointed at one host to execute command from just your command line without dropping you into a shell so is all this legal uh well these are all the states where this is legal and you do need permission written permission from anyone if you don't own that system please only use this tool on systems you own or have permission to uh it's for educational purposes don't get yourself arrested uh so scaling the Gap starting from the bottom these are ways of dumping LSS So within Windows there is a dll called com svcsd and it is a sign Microsoft Windows binary that has a mini dump function but the big issue with this is this is a old technique everyone knows about it everything alerts on it so the actual attack Vector for that is pretty limited uh Defender itself will actually block this attack and it won't even give you a mini dump however there's another way proc dump this is a sign binary it comes with the CIS internal Suite of Microsoft and with it it is a uh exe that allows you to dump any process to process memory to a file however it's another old Avenue it's very well known and it is heavily uh mitigated so we come to mini dump WR dump now this is a function within windows's debug help library and what it does is it takes a process ID and a file handle and you can put it just straight into a program and it'll run that function and dump that process memory to a file so part two of scaling the Gap I went I did go with this mini dump right dump function uh the one issue that it has is all Els dump files have a signature in way that makes them very easily detectable by Windows Defender or most antiviruses and it'll usually just get deleted immediately because it's a file that isn't normally on disk for any legitimate reason so how can we get around this file detection so as it turns out if if you mount a network share as a drive within a window machine you can use that as a file handle to write straight to that share and if it happens to be a Linux machine that file won't get deleted and Windows Defender won't even see it because it is on a network share and Defender often doesn't scan those so the next issue that we run into is automating this so This tool is designed to be run up to hundreds if not thousands of hosts without any user interaction so how can we automate this using a Linux share we can spin that up as an smv share on our attacker machine and have Windows hosts connect to it using the net use command that's built into windows so as for payload delivery most Enterprises which is what I use this Tool uh for uh have something called application wh listing which means you can't just take any old exe and run it so we need to find a way to get around this protection uh with every version of Windows 10 or newer I believe uh you have what's called Ms build and with version 4.0 of.net comes inline tasks and what an inline task is is a fe feature of Ms build that allows you to write out an XML file as a task and includes actual code written in C within it and it will execute that task in memory without compiling it so this is a really good Avenue for getting around application whitelisting cuz Ms build is a signed Windows binary and it won't get blocked that often so the same goes for register of 32 this is a dll within Microsoft Windows uh I believe it comes on almost every version of Windows and it allows you to install or uninstall certain dlls uh of Any Given argument so what we can do with this is create a dll file that exports a function name uh I believe it's called DL register server and register of 32 will then use that uh exported D function as an entry point and execute any code within it this is normally used within windows for installing things however we can use it as a way of code execution up next we have Windows 7 calculator so what a lot of people don't know is this version of Windows 7 calculator is vulnerable to DL s side loing which is used kind of Often by by uh a recent attack from a m group called quack bot this was being used a lot and I picked up on it Through the Windows 7 calculator app into gidra to see what all it's importing for dlls and I took that uh that D import made it as a dll export on a dll named it the correct thing and then I stuck it as a dll right next to it so it'll de it'll Sid load that dll and execute our dumping code and lastly we just have a straight up vxe so if they aren't using application white listing this runs pretty easily it's just an exe file that's compiled so we have two kinds of payloads now we have mini dump right dump and like I explained earlier this will dump uh the lsas processes memory straight into a file which we can parse for credentials later uh this is a slightly known attack it's picked up a lot it's not often blocked though because many legitimate programs use this function for debugging but another way we can do it is through PSS capture snapshot and what PSS capture snapshot does is it takes a screenshot of that memory in whatever state it's in and writes it to another process and then we can use mini dump WR dump to dump that new process that was created since it's not the Elsas process most edrs and antiviruses won't flag that as hey that's super malicious that process is getting dumped because within Windows processes get dumped to a file quite often for crash logs debugging stuff like that so here is an example video of the tool running uh it is going to take a second to boot up because it this uh VM network is set up to look like it has internet it doesn't so it's just sitting there timing out but as we run it I'm giving it a uh domain my test domain is acne. looc using the administrator account and it's going to hit every host that has SMB open within it it's going to prompt me for the admin's password create a user create a network share and boom it is already attacking those three hosts and it's already done so with that it's going to parse those three files out into a couple files and I don't want to validate those credentials because I already know they're going to be valid so jumping into the directory it gives us a lot of stuff so within dumped mv. text it's basically just going to be your msv credentials domain username and an n and what an N is is it is a hash version of a user's password that can be used as an equivalent of the password up next we have a grippable output so this will have everything from your msv to your ceros your DP API keys and dumped fold. text is just a pretty output it's very it's piy cats's default output type and up next we have dump toast so this is just going to be a list of any hosts that returned a mini dump file which is good for if say you're doing this to 800 hosts and your clients want a list of those vulnerable hosts so that's it for that quick little demonstration but up next we have some defenses for this so by default Windows does give you two really good avenues for protecting against this kind of attack uh the first one being run as PPL this is a register key that you can create within your registry that will put uh the Elsas process into a protected state so so it stands for run as protected process light and there's two kinds there's protected process and protected process light in this case the only way you can set it is protected process light which means only another protected process or another protected process light can access that memory space now and with that to get to that kind of level you need kernel level axis which even if you have an administrator account is very tricky to get to and we also have Windows credential guard so this can be turned on with a group policy and what that does is it will store any lsas credentials in a secure container within the windows hypervisor so nothing can access it once it's in that memory space there's no way to get to it so moving on there are vulnerabilities within Run's PPR so there's a few ones that have been seen some userland exploits uh the biggest one is using a vulnerable driver to gain access to the kernel level memory and to do this you need to know a little bit about how runs PPL works so like I said only another protective process light or protected process can access that memory but it also needs to have the same CER So within Windows there are multiple CER types uh there's Windows TCP TCB uh but the ones that we're really looking at are PS protected CER antiu this is used Often by anti Solutions and we also have PS protected signer LSA which is what the Elsas process uses when it is put into that protected state so if we were to somehow remove that protected process light or from the LSS process or add it to our tool that's running we can then access that memory again and so with that there are some really good examples in this case it is using a vulnerable driver from MSI After Burner a very commonly seen uh GPU overclocking tool that's been around for a while and with that you can access kernel level memory and set your your own process to be a protected process so here's a demonstration of that we're first going to run without that run as PPL flag so it will attempt to dump that memory and we're going to get an Axis is denied because we don't have permission to read that memory even though we're running as administrator so it's going to time out checking for updates it's going to ask you for that password again and it's going to set everything up it does a fresh setup each time and boom immediately acces we don't have access to read that memory so we can see that there that is a error that you will see when that process is running in a protected state or you are not running as administrator so now we can give it a flag called run as PPL it's going to do its update check and sit there for a while but as this runs it uses it'll start up that driver install it and very easily it can be us it can then be used for this attack so it does give you a warning hey you're using kernel level memory if something goes super bad this can cause a blue screen it hasn't happened yet but it can so this does take significantly longer because it has to install that driver start up another process that will then interact with our process to set its sign or type to PS protect process LSA and make it a protective process light so once this is done running we'll see we should get a very nice and easy dump file and takes a little bit because it just runs and runs and as we can see the protection PPL LSA was set to our process ID uh previous was none and we get a dump file even though that host is running run as PPR so up next we have Microsoft breaking things uh Microsoft does as Microsoft do they try to make things more secure and they end up breaking things so for some reason between between roughly two versions of Defender uh security intelligence it turned the mini dump right dump function accessing Elsas into a denial of service for the uh file explorer process essentially what it would do is it would cause that process to hang and for anyone that hasn't dug deep into Windows File Explorer is used for a lot of things so if that process stops responding a lot of things stop working uh here's a good example of what that looks like if you were logged in so with Reaper you don't have to run the three commands that it gives you from the tool itself you can H just have it print those three commands and run them and as you can see it Ms build is started and everything just locked up immediately this is the same payload that has it's had for four months and we're shown in the same ones right before but everything's locked up if I try to go to say this PC it's just sitting there hanging it can't do anything I can't even see my C drive uh this has been fixed thankfully haven't seen it in a while but this was an issue for a little bit so questions yes sir devel uh I started developing this about a year ago it took couple days to get it uh actually working or have the core components working and it's just been adding quality life features ever since any other questions yes Matt so with LSA Reaper it's out of the box it'll work you just have to install some dependencies and there's a setup script for that the biggest thing is is if you're using this in a pentest you have to have administrator credentials to a machine and those aren't always the easiest to get but if you're just using a home lab type scenario it's pretty easy to use you just need a Linux Ma machine and a Windows machine it doesn't even have to be on a domain all right any other questions sir yeah so I have used this against uh three of the big edrs uh senel one crowd strike carbon black all three of them do detect it uh they have I've seen all three of them stop it so that is really good uh things like Microsoft Defender for endpoint sometimes stop it sometimes they don't it's a bit Hit or Miss uh Defender itself recently started picking up the W exec method and I found that if you change the share that it uses by default from admin to C it stops picking it up so your newer edrs yeah they are pretty good at stopping this but if your company's just running say like Windows Defender stock uh endpoint protection you can usually get away with this all right anyone else sir yeah yeah so secret stump is a tool made by impacket it does something similar to what LSA Reaper does how however it doesn't go for the LSA the LSA SS's process it goes for LSA secrets and Sam the Sam hiive which are registry hives within windows that contain your local users credentials and LSA secrets you can find anything from cach credentials from domain cach credentials to say clear text passwords you won't ever get an a username and an NT for a log on session from Secret stump uh get NP users is stands for get no pre-authentication user users and that is a tool for checking if a account has uh keros pre-authentication set and if you turn if you do not require keros pre-authentication you can request that user's uh username and encrypted an encrypted password for an as rep hash take that off line into hashcat and crack it so that just interacts with a domain controller rather than individual hosts sorry okay so any other questions all right I'll be here all day if you guys want to stop by our booth and ask me any questions afterwards be happy to uh I do have some prizes to give out for the questions so I will give those out here in a second but thank you all for coming out