lsassy: Extract credentials from lsass remotely

by ddos ·

lsassy

Python library to remotely extract credentials.

This library uses impacket projects to remotely read necessary bytes in lsass dump and pypykatz to extract credentials.

Different lsass dumping methods are implemented in lsassy, and some option are provided to give control to the user on how the tool will proceed.

Internal working

lsassy is divided in modules

                   +-----------+
                   |   Writer  |
                   +-----+-----+
                         |
                         |
 +----------+      +-----+-----+    +---------+
 |  Parser  |------|   Core    |----| Session |
 +----------+      +-----+-----+    +---------+
                         |
                         |
                   +-----------+
                   |    Dump   |-+
                   |  Methods  | |-+    +----------+
                   +-----+-----+ | |----|   File   |
                     +-----------+ |    +----------+
                      +------------+
                         |
                         |
                   +-----------+
                   |    Exec   |-+
                   |  Methods  | |-+
                   +-----+-----+ | |
                     +-----------+ |
                      +------------+

Core module

This module is the orchestrator. It creates lsassy class with provided arguments and options, and then calls the different modules to retrieve credentials.

Logger module

This module is used for logging purpose.

File module

This is a layer built over Impacket to behave like a python built-in file object. It overrides methods like open, read, seek, or close.

Dumper module

This module is where all the dumping logic happens. Depending on the method used, it will execute code on remote host to dump lsass using provided method.

Parser module

This module relies on pypykatz and uses lsassy file module to remotely parse lsass dump

Writer module

This module handles the output part, either to the screen in different formats and/or write results to a file

Dumping methods

This tool can dump lsass in different ways.

Dumping methods (-m or --method)

  • comsvcs
  • comsvcs_stealth
  • dllinject
  • procdump
  • procdump_embedded
  • dumpert
  • dumpertdll
  • ppldump
  • ppldump_embedded
  • mirrordump
  • mirrordump_embedded
  • wer
  • EDRSandBlast
  • nanodump
  • rdrleakdiag
  • silentprocessexit
  • sqldumper

comsvcs method

This method only uses built-in Windows files to extract remote credentials. It uses minidump function from comsvcs.dll to dump lsass process.

Procdump method

This method uploads procdump.exe from SysInternals to dump lsass process.

Dumpert method

This method uploads dumpert.exe or dumpert.dll from outflanknl to dump lsass process using syscalls.

Ppldump

This method uploads ppldump.exe from itm4n to dump lsass process and bypass PPL.

Mirrordump

This method uploads Mirrordump.exe from Ccob to dump lsass using already opened handle to lsass via an LSA plugin.

WER

This method uses WER technique used in PowerSploit.

Install & Use

Tags: lsassy