{"id":26179659,"url":"https://github.com/0xdea/blindsight","last_synced_at":"2025-08-27T22:44:28.922Z","repository":{"id":270492632,"uuid":"830395763","full_name":"0xdea/blindsight","owner":"0xdea","description":"Red teaming tool to dump LSASS memory, bypassing basic countermeasures.","archived":false,"fork":false,"pushed_at":"2024-12-31T15:28:15.000Z","size":54,"stargazers_count":213,"open_issues_count":0,"forks_count":25,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-30T10:06:25.551Z","etag":null,"topics":["mimikatz","minidump","redteaming","rust","tactical-exploitation","windows"],"latest_commit_sha":null,"homepage":"https://0xdeadbeef.info","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xdea.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-18T07:35:43.000Z","updated_at":"2025-03-29T00:25:39.000Z","dependencies_parsed_at":"2024-12-31T16:36:42.272Z","dependency_job_id":null,"html_url":"https://github.com/0xdea/blindsight","commit_stats":null,"previous_names":["0xdea/blindsight"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdea%2Fblindsight","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdea%2Fblindsight/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdea%2Fblindsight/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdea%2Fblindsight/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xdea","download_url":"https://codeload.github.com/0xdea/blindsight/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247471517,"owners_count":20944158,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["mimikatz","minidump","redteaming","rust","tactical-exploitation","windows"],"created_at":"2025-03-11T21:51:55.707Z","updated_at":"2025-04-06T11:07:23.615Z","avatar_url":"https://github.com/0xdea.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# blindsight\n\n[![](https://img.shields.io/github/stars/0xdea/blindsight.svg?style=flat\u0026color=yellow)](https://github.com/0xdea/blindsight)\n[![](https://img.shields.io/github/forks/0xdea/blindsight.svg?style=flat\u0026color=green)](https://github.com/0xdea/blindsight)\n[![](https://img.shields.io/github/watchers/0xdea/blindsight.svg?style=flat\u0026color=red)](https://github.com/0xdea/blindsight)\n[![](https://img.shields.io/badge/twitter-%400xdea-blue.svg)](https://twitter.com/0xdea)\n[![](https://img.shields.io/badge/mastodon-%40raptor-purple.svg)](https://infosec.exchange/@raptor)\n\n\u003e \"There's no such things as survival of the fittest.  \n\u003e Survival of the most adequate, maybe.  \n\u003e It doesn't matter whether a solution's optimal.  \n\u003e All that matters is whether it beats the alternative.\"\n\u003e\n\u003e -- Peter Watts, Blindsight (2006)\n\nRed teaming tool to dump LSASS memory, bypassing basic countermeasures.\nIt uses Transactional NTFS (TxF API) to transparently scramble the memory\ndump, to avoid triggering AV/EDR/XDR.\n\nBlog post:\n\n* \u003chttps://security.humanativaspa.it/an-offensive-rust-encore\u003e\n\nSee also:\n\n* \u003chttps://attack.mitre.org/techniques/T1003/001/\u003e\n* \u003chttps://www.synacktiv.com/en/publications/windows-secrets-extraction-a-summary\u003e\n* \u003chttps://www.ired.team/offensive-security/credential-access-and-credential-dumping\u003e\n* \u003chttps://github.com/fortra/nanodump\u003e\n* \u003chttps://github.com/w1u0u1/minidump\u003e\n* \u003chttps://github.com/anthemtotheego/CredBandit\u003e\n* \u003chttps://github.com/joaoviictorti/RustRedOps\u003e\n* \u003chttps://github.com/Kudaes/Dumpy\u003e\n\n## Cross-compiling (macOS example)\n\n```sh\n$ brew install mingw-w64\n$ rustup target add x86_64-pc-windows-gnu\n$ cargo build --release --target x86_64-pc-windows-gnu\n```\n\n## Usage\n\nInside an Administrator's PowerShell window:\n\n```sh\nC:\\\u003e .\\blindsight.exe [dump | file_to_unscramble.log]\n```\n\n## Examples\n\nDump LSASS memory:\n\n```sh\nC:\\\u003e .\\blindsight.exe\n```\n\nUnscramble memory dump:\n\n```sh\nC:\\\u003e .\\blindsight.exe 29ABE9Hy.log\n```\n\n## Tested on\n\n* Microsoft Windows 10 (x64)\n* Microsoft Windows 11 (x64)\n* Microsoft Windows 11 (ARM64)\n* Microsoft Windows Server 2016 (x64)\n* Microsoft Windows Server 2019 (x64)\n* Microsoft Windows Server 2022 (x64)\n\n*Note: Do not test on production servers, as accessing LSASS might cause system instability!*\n\n## TODO\n\n* Optimize memory usage (simply corrupt \"magic bytes\" instead of XORing?)\n* Use litcrypt2 or similar to encrypt strings locally\n* Allow to manually specify LSASS pid to avoid noisy process scans\n* Avoid directly opening LSASS handle (e.g., via PssCaptureSnapshot)\n* Use https://github.com/Kudaes/DInvoke_rs or similar for API hooks evasion\n* https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html\n* Implement fileless exfiltration channels (e.g., TFTP, FTP, HTTP...)\n* Consider dumping to memory using minidump callbacks instead of TxF API\n* https://adepts.of0x.cc/hookson-hootoff/\n* Consider better command line handling if minimal is not enough\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xdea%2Fblindsight","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xdea%2Fblindsight","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xdea%2Fblindsight/lists"}