In-memory secrets

Theory

Just like the LSASS process on Windows systems allowing for LSASS dumping, some programs sometimes handle credentials in the memory allocated to their processes, sometimes allowing attackers to dump them.

Practice

Just like LSASS dumping, this technique needs the attacker to have admin access on the target machine since it involves dumping and handling volatile memory.
UNIX-like
Windows
On UNIX-like systems, tools like mimipenguin (C, Shell, Python), mimipy (Python) and LaZagne (Python) can be used to extract passwords from memory.
1
mimipenguin
2
laZagne memory
Copied!
On Windows systems, tools like LaZagne (Python) and mimikatz (C) can be used to extract passwords from memory but they focus on LSASS dumping.

Resources

Last modified 1mo ago
Copy link