DragonCastle: scrape NTLM hashes from LSASS process
DragonCastle
A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from the LSASS process.
Description
Upload a DLL to the target machine. Then it enables the remote registry to modify the AutodialDLL entry and start/restart the BITS service. Svchosts would load our DLL, set again AutodiaDLL to a default value, and perform an RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.
The DLLMain always returns False so the processes don’t keep it.
Caveats
It only works when RunAsPPL is not enabled. Also, I only added support to decrypt 3DES because I am lazy but should be easy peasy to add code for AES. For the same reason, I only implemented support for the next Windows versions:
| Build | Support |
|---|---|
| Windows 10 version 21H2 | |
| Windows 10 version 21H1 | Implemented |
| Windows 10 version 20H2 | Implemented |
| Windows 10 version 20H1 (2004) | Implemented |
| Windows 10 version 1909 | Implemented |
| Windows 10 version 1903 | Implemented |
| Windows 10 version 1809 | Implemented |
| Windows 10 version 1803 | Implemented |
| Windows 10 version 1709 | Implemented |
| Windows 10 version 1703 | Implemented |
| Windows 10 version 1607 | Implemented |
| Windows 10 version 1511 | |
| Windows 10 version 1507 | |
| Windows 8 | |
| Windows 7 |
The signatures/offsets/structs were taken from Mimikatz. If you want to add a new version just check the sekurlsa functionality on Mimikatz.
Download
git clone https://github.com/mdsecactivebreach/DragonCastle.git
Use
Author: Juan Manuel Fernandez (@TheXC3LL)
