lsassy: Extract credentials from lsass remotely

by ddos · October 12, 2024

lsassy

Python library to remotely extract credentials.

This library uses impacket projects to remotely read necessary bytes in lsass dump and pypykatz to extract credentials.

Different lsass dumping methods are implemented in lsassy, and some option are provided to give control to the user on how the tool will proceed.

Internal working

lsassy is divided in modules

                   +-----------+
                   |   Writer  |
                   +-----+-----+
                         |
                         |
 +----------+      +-----+-----+    +---------+
 |  Parser  |------|   Core    |----| Session |
 +----------+      +-----+-----+    +---------+
                         |
                         |
                   +-----------+
                   |    Dump   |-+
                   |  Methods  | |-+    +----------+
                   +-----+-----+ | |----|   File   |
                     +-----------+ |    +----------+
                      +------------+
                         |
                         |
                   +-----------+
                   |    Exec   |-+
                   |  Methods  | |-+
                   +-----+-----+ | |
                     +-----------+ |
                      +------------+

Core module

This module is the orchestrator. It creates lsassy class with provided arguments and options, and then calls the different modules to retrieve credentials.

Logger module

This module is used for logging purpose.

File module

This is a layer built over Impacket to behave like a python built-in file object. It overrides methods like open, read, seek, or close.

Dumper module

This module is where all the dumping logic happens. Depending on the method used, it will execute code on remote host to dump lsass using provided method.

Parser module

This module relies on pypykatz and uses lsassy file module to remotely parse lsass dump

Writer module

This module handles the output part, either to the screen in different formats and/or write results to a file

Dumping methods

This tool can dump lsass in different ways.

Dumping methods (-m or --method)

comsvcs
comsvcs_stealth

dllinject
procdump
procdump_embedded

dumpert
dumpertdll
ppldump

ppldump_embedded
mirrordump
mirrordump_embedded

wer
EDRSandBlast
nanodump

rdrleakdiag
silentprocessexit
sqldumper

comsvcs method

This method only uses built-in Windows files to extract remote credentials. It uses minidump function from comsvcs.dll to dump lsass process.

Procdump method

This method uploads procdump.exe from SysInternals to dump lsass process.

Dumpert method

This method uploads dumpert.exe or dumpert.dll from outflanknl to dump lsass process using syscalls.

Ppldump

This method uploads ppldump.exe from itm4n to dump lsass process and bypass PPL.

Mirrordump

This method uploads Mirrordump.exe from Ccob to dump lsass using already opened handle to lsass via an LSA plugin.

WER

This method uses WER technique used in PowerSploit.

lsassy: Extract credentials from lsass remotely

Search

Brilliantly

Content & Links

lsassy: Extract credentials from lsass remotely

lsassy

Internal working

Core module

Logger module

File module

Dumper module

Parser module

Writer module

Dumping methods

comsvcs method

Procdump method

Dumpert method

Ppldump

Mirrordump

WER

Install & Use

Search

Brilliantly

Content & Links