Python library to remotely extract credentials on a set of hosts.

Overview

lsassy

PyPI version Twitter

Example

Python library to remotely extract credentials on a set of hosts. This blog post explains how it works.

This library uses impacket project to remotely read necessary bytes in lsass dump and pypykatz to extract credentials.

Chapters Description
Requirements Requirements to install lsassy from source
Warning Before using this tool, read this
Documentation Lsassy documentation
CrackMapExec Module Link to CrackMapExec module included in this repository
Issues Read this before creating an issue
Acknowledgments Kudos to these people and tools
Official Discord Official Discord channel

Requirement

  • Python >= 3.6

Warning

Although I have made every effort to make the tool stable, traces may be left if errors occur.

This tool can either leave some lsass dumps if it failed to delete it (eventhough it tries hard to do so) or leave a scheduled task running if it fails to delete it. This shouldn't happen, but it might. Now, you know, use it with caution.

Documentation

The tool is fully documented in the project's wiki

Installation

Standalone

Library

CrackMapExec module

Changelog

v2.1.0
------
* Kerberos authentication support (Thank you laxa for PR)
* Add CME module for python3
* Update bloodhound queries for BloodHound3
* Bug fixes

v2.0.0
------
* Multiprocessing support to dump credentials on multiple hosts at a time
* Add new dumping method using "dumpert"
* Can be used as a library in other python projects
* Syntax changed to be more flexible
* Complete code refactoring, way more organized and easy to maintain/extend
* Better error handling
* Complete wiki

v1.1.0
------
* Better execution process : --method flag has been added and described in help text
* Uses random dump name
* Chose between cmd, powershell, dll and/or procdump methods
* CME module is now using light lsassy WMIExec et TASKExec implementation
* Bug fixes

v1.0.0
------
* Built-in lsass dump
** Lsass dump using built-in Windows
** Lsass dump using procdump (using -p parameter)
* Add --dumppath to ask for remote parsing only
* Code refactoring
* Add --quiet to quiet output

v0.2.0
------
* Add BloodHound option to CME module (-o BLOODHOUND=True)
    - Set compromised targets as "owned" in BloodHound
    - Check if compromised users have at least one path to domain admin
* Custom parsing (json, grep, pretty [default])
* New --hashes option to lsassy
* Include CME module in repository
* Add credentials to CME database


v0.1.0
------
First release

Acknowledgments

image

Official Discord Channel

Porchetta Industries

Comments
  • Protected lsass?

    Protected lsass?

    Probably not a bug and more likely a mis-usage of my part but I could not find much info.

    I am executing the following command:

    lsassy -d SomeDomain -u SomeAdminUser -p SomePassword 10.0.2.4

    But I am getting the following error: [X] [10.0.2.4] Either lsass is protected or target might be slow or procdump/dumpert wasn't provided

    Also, tried adding -m with 0-5 and providing prodump and dumpert but still getting the same error.

    If I log into machine 10.0.2.4, I can dump lsass using prodump or taskmgr.

    opened by EasiestOdin5 9
  • Automatically generate Linux & Windows builds

    Automatically generate Linux & Windows builds

    I can't find a good way to automatically generate builds when I release a new version. If someone knows how to do this, help would be really appreciated 🤗

    enhancement help wanted 
    opened by Hackndo 7
  • Add MirrorDump dump method

    Add MirrorDump dump method

    Hi @Hackndo!

    In this PR I'd like to bring the mirrordump dump method based on the MirrorDump awesome tool by @CCob. For quite a long time it has been my personal tool of choice for offensive engagements, and I think it should definitely be a part of your great toolkit.

    Before compiling MirrorDump a tiny modification should be made to the source code (Program.cs file) for lsassy to successfully parse the output. By default MirrorDump creates a zip file containing the dump, so the modification changes the output to raw dump bytes:

    static void SaveDump(string fileName, DumpContext dc)
    {
        using (var fileStream = new FileStream(fileName, FileMode.Create, FileAccess.ReadWrite))
        {
            fileStream.Write(dc.Data, 0, (int)dc.Size);
        }
    }
    
    ...
    
    //SaveZip(fileName, MiniDumpToMem.GetDumpContextFromHandle(MagicHandle));
    SaveDump(fileName, MiniDumpToMem.GetDumpContextFromHandle(MagicHandle));
    

    I've also made an attempt to create a module with embedded assembly of MirrorDump.exe, but I've faced the following issue: due to a relatevily big size of the assembly (Boo compiler is inside) ImpacketFile.create_file does not transfer the whole file and stops at length of 1,024 Kbytes. I suppose it has something to do with the MAX_FILE_WRITE constant (not sure).

    If you have any idea of how to corretly resolve the issue, I'll be happy to update the PR!

    Usage example:

    ~$ lsassy -vv -u administrator -p 'Passw0rd!' 10.10.13.37 -m mirrordump -O mirrordump_path=./MirrorDump.exe
    

    example

    P. S. I'm sure you will compile the project by yourself for the security purposes, but I shall attach the modified assembly in this PR as well for testing - MirrorDump.zip.

    opened by snovvcrash 6
  • Bypass antivirus

    Bypass antivirus

    Under certain circumstances (e.g. Microsoft Defender active), no dump can be performed with lsassy. This is due to the fact that the dump of the lsass.exe process is considered.

    However, the following works:

    $ psexec.py host.example.com 'tasklist /fi "imagename eq lsass.exe"'
    [CUT]
    Image Name                     PID Session Name        Session#    Mem Usage
    ========================= ======== ================ =========== ============
    lsass.exe                     1337 Services                   0     49,680 K
    [CUT]
    $ psexec.py -c procdump64.exe host.example.com '-accepteula -ma 1337 c:\lsass.dmp'
    [CUT]
    [01:23:45] Dump 1 initiated: c:\lsass.dmp
    [CUT]
    

    I don't know whether it would make sense for you to include this bypass in lsassy?

    Thanks for your awesome work! :)

    opened by viaccoz 6
  • Obfuscation-(not a bug)

    Obfuscation-(not a bug)

    First of all Great tool

    I got detected by windows defender is there any method that you guys use to bypass it?

    i give the tool a try but got flagged by windows defender latest version full patched

    opened by maibold1 5
  • pipenv shell

    pipenv shell

    Not sure if running in pipenv shell is the issue, but getting the error after a successful dump of lsass.exe:

    Detailed error : /bin/sh: 1: lsassy: not found

    Thoughts?

    wontfix 
    opened by bucky67gto 5
  • [Feature] Optionally use UNC path with `dumpertdll` module to run dumpert DLL from SMB share

    [Feature] Optionally use UNC path with `dumpertdll` module to run dumpert DLL from SMB share

    Hello! First I would like to say congratulations on the 3.0.0 release, the new improvements look awesome! I had an idea while reading some of the new dumping methods, specifically dumpertdll.

    rundll32 can run DLLs from SMB shares, they don't have to be on the disk. My idea was to run an SMB share (like with Samba or impacket-smbshare, not lsassy) and then place the dumpert DLL file in that share. You could then provide the UNC path to the dumpert DLL in the "dumpertdll_path" option, and lsassy would tell rundll32 to call the dumpert DLL from the SMB share, instead of having to upload it.

    I've had lots of luck with this method when trying to spawn sliver agents using a DLL loaded from an SMB share, and it would also prevent the OPSEC hit of having to upload the file to disk. Finally, if something goes wrong during the dump (like AV gets wind of what your doing) there is no risk of the dumpert DLL persisting after aborted execution because it couldn't be deleted.

    enhancement 
    opened by davidmckennirey 4
  • Release the DCOM Connection if WMI failed

    Release the DCOM Connection if WMI failed

    This would cause python to hang when the WMI exec method failed during the program execution (lsassy in CLI or any python code using Lsassy as a lib). That was a funny debugging afternoon 😄

    Cheers

    opened by themaks 4
  • Using lsassy on Ubuntu WSL

    Using lsassy on Ubuntu WSL

    Describe the bug Maybe not so much a bug as a desire to see if it would run in WSL. Thinking Windows store apps can be accessed by non-admin users and then install Ubuntu along with lsassy. Should this be a pull request? A little new to the game here but testing my limits.

    Expected behavior Here are my steps: Install WSL on Win10 device Install Ubuntu from Windows store Check if Python3 is installed python3 --version Install Python 3 (if needed) sudo apt install python3 Update apt-get sudo apt-get update Install netaddr sudo apt-get install -y python-netaddr Pip3 install netaddr Install pip3 sudo apt-get install python3-pip Install pypykatz pip3 install pypykatz Clone Impacket sudo git clone https://github.com/SecureAuthCorp/impacket.git cd impacket/ sudo python3 setup.py install Install lsassy sudo python3.6 -m pip install lsassy

    Screenshots

    Additional context The command and results user@computer:/$ lsassy domain/%username%:%Password%@%FQDN_deviceName Traceback (most recent call last): File "/usr/local/bin/lsassy", line 11, in sys.exit(run()) File "/usr/local/lib/python3.6/dist-packages/lsassy/core.py", line 208, in run targets = get_targets(get_args().target) File "/usr/local/lib/python3.6/dist-packages/lsassy/utils/utils.py", line 134, in get_targets ret_targets += parse_targets(target) File "/usr/local/lib/python3.6/dist-packages/lsassy/utils/utils.py", line 101, in parse_targets t = IPRange(ip_range[0], ip_range[1]) File "/usr/local/lib/python3.6/dist-packages/netaddr/ip/init.py", line 1357, in init self._start = IPAddress(start, flags=flags) File "/usr/local/lib/python3.6/dist-packages/netaddr/ip/init.py", line 280, in init % self.class.name) ValueError: IPAddress() does not support netmasks or subnet prefixes! See documentation for details.

    opened by NtHawk101 4
  • Wait when file is not written yet

    Wait when file is not written yet

    • A task is launched to dump lsass.exe. As long as it is not finished, the dump file is non-existent or empty. This can generate STATUS_OBJECT_NAME_NOT_FOUND errors. Because of this, we have to wait until the task and the write are finished.
    • Delete dump file
    • More precise logging
    opened by viaccoz 4
  • Add collection of masterkeys

    Add collection of masterkeys

    Like the -K for kerberos tickets, the new -M stores dumped masterkeys to a file in format {GUID}:SHA1. This format of masterkeys can be use in many tools like SharpDPAPI.

    opened by zblurx 3
Releases(v3.1.6)
Owner
Pixis
Security blog author https://hackndo.com
Pixis
Having a weak password is not good for a system that demands high confidentiality and security of user credentials

Having a weak password is not good for a system that demands high confidentiality and security of user credentials. It turns out that people find it difficult to make up a strong password that is strong enough to prevent unauthorized users from memorizing it.

PyLaboratory 0 Feb 7, 2022
Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Axel Souchet 220 Dec 14, 2022
Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, downloads, history, and more.

ChromePE [Linux/Windows] Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, download

Finn Lancaster 3 Oct 5, 2022
Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Cod

Axel Souchet 820 Dec 18, 2022
client attack remotely , this script was written for educational purposes only

client attack remotely , this script was written for educational purposes only, do not use against to any victim, which you do not have permission for it

null 9 Jun 5, 2022
Automated tool to exploit basic buffer overflow remotely and locally & x32 and x64

Automated tool to exploit basic buffer overflow (remotely or locally) & (x32 or x64)

null 5 Oct 9, 2022
Consolidating and extending hosts files from several well-curated sources. You can optionally pick extensions to block pornography, social media, and other categories.

Take Note! With the exception of issues and PRs regarding changes to hosts/data/StevenBlack/hosts, all other issues regarding the content of the produ

Steven Black 22.1k Jan 2, 2023
DependConfusion-X Tool is written in Python3 that scans and monitors list of hosts for Dependency Confusion

DependConfusion-X Tool is written in Python3 which allows security researcher/bug bounty hunter to scan and monitor list of hosts for Dependency Confusion.

Ali Fathi Ali Sawehli 4 Dec 21, 2021
LittleBrother is a simple parental control application monitoring specific processes on Linux hosts to monitor and limit the play time of children.

Parental Control Application LittleBrother Overview LittleBrother is a simple parental control application monitoring specific processes (read "games"

null 40 Dec 21, 2022
Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Jordan Jay 43 Nov 9, 2022
A simple automatic tool for finding vulnerable log4j hosts

Log4Scan A simple automatic tool for finding vulnerable log4j hosts Installation pip3 install -r requirements.txt Usage usage: log4scan.py [-h] (-f FI

Federico Rapetti 20018955 6 Mar 10, 2022
A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts

log4j-scan A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts Features Support for lists of URLs. Fuzzing for more

Duc Linh Nguyen 4 Aug 8, 2022
TLaunch: Launch Programs on Multiple Hosts

TLaunch: Launch Programs on Multiple Hosts Introduction Deepmind launchpad is a library that helps writing distributed program in a simple way. But cu

Tsinghua AI Research Team for Reinforcement Learning 11 Nov 11, 2022
Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VSS-AGENT service running on host)

VSSTrigger Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VS

Filip Dragovic 6 Jul 24, 2022
This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to the attack classes defined and curated malapi.io.

F2Amapper This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to

Ajit Kumar 3 Sep 3, 2022
orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner

Introduction orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner. Other popular ORF searching tools

Urminder Singh 34 Nov 21, 2022
A tool to extract the IdP cert from vCenter backups and log in as Administrator

vCenter SAML Login Tool A tool to extract the Identity Provider (IdP) cert from vCenter backups and log in as Administrator Background Commonly, durin

Horizon 3 AI Inc 343 Dec 31, 2022
A simple Burp Suite extension to extract datas from source code

DataExtractor A simple Burp Suite extension to extract datas from source code. Features in scope parsing file extensions to ignore files exclusion bas

Gwendal Le Coguic 86 Dec 31, 2022
A burp-suite plugin that extract all parameter names from in-scope requests

ParamsExtractor A burp-suite plugin that extract all parameters name from in-scope requests. You can run the plugin while you are working on the targe

null 29 Nov 9, 2022