Python library to remotely extract credentials on a set of hosts.

Overview

lsassy

PyPI version Twitter

Example

Python library to remotely extract credentials on a set of hosts. This blog post explains how it works.

This library uses impacket project to remotely read necessary bytes in lsass dump and pypykatz to extract credentials.

Chapters Description
Requirements Requirements to install lsassy from source
Warning Before using this tool, read this
Documentation Lsassy documentation
CrackMapExec Module Link to CrackMapExec module included in this repository
Issues Read this before creating an issue
Acknowledgments Kudos to these people and tools
Official Discord Official Discord channel

Requirement

  • Python >= 3.6

Warning

Although I have made every effort to make the tool stable, traces may be left if errors occur.

This tool can either leave some lsass dumps if it failed to delete it (eventhough it tries hard to do so) or leave a scheduled task running if it fails to delete it. This shouldn't happen, but it might. Now, you know, use it with caution.

Documentation

The tool is fully documented in the project's wiki

Installation

Standalone

Library

CrackMapExec module

Changelog

v2.1.0
------
* Kerberos authentication support (Thank you laxa for PR)
* Add CME module for python3
* Update bloodhound queries for BloodHound3
* Bug fixes

v2.0.0
------
* Multiprocessing support to dump credentials on multiple hosts at a time
* Add new dumping method using "dumpert"
* Can be used as a library in other python projects
* Syntax changed to be more flexible
* Complete code refactoring, way more organized and easy to maintain/extend
* Better error handling
* Complete wiki

v1.1.0
------
* Better execution process : --method flag has been added and described in help text
* Uses random dump name
* Chose between cmd, powershell, dll and/or procdump methods
* CME module is now using light lsassy WMIExec et TASKExec implementation
* Bug fixes

v1.0.0
------
* Built-in lsass dump
** Lsass dump using built-in Windows
** Lsass dump using procdump (using -p parameter)
* Add --dumppath to ask for remote parsing only
* Code refactoring
* Add --quiet to quiet output

v0.2.0
------
* Add BloodHound option to CME module (-o BLOODHOUND=True)
    - Set compromised targets as "owned" in BloodHound
    - Check if compromised users have at least one path to domain admin
* Custom parsing (json, grep, pretty [default])
* New --hashes option to lsassy
* Include CME module in repository
* Add credentials to CME database


v0.1.0
------
First release

Acknowledgments

image

Official Discord Channel

Porchetta Industries

Comments
  • Protected lsass?

    Protected lsass?

    Probably not a bug and more likely a mis-usage of my part but I could not find much info.

    I am executing the following command:

    lsassy -d SomeDomain -u SomeAdminUser -p SomePassword 10.0.2.4

    But I am getting the following error: [X] [10.0.2.4] Either lsass is protected or target might be slow or procdump/dumpert wasn't provided

    Also, tried adding -m with 0-5 and providing prodump and dumpert but still getting the same error.

    If I log into machine 10.0.2.4, I can dump lsass using prodump or taskmgr.

    opened by EasiestOdin5 9
  • Automatically generate Linux & Windows builds

    Automatically generate Linux & Windows builds

    I can't find a good way to automatically generate builds when I release a new version. If someone knows how to do this, help would be really appreciated 🤗

    enhancement help wanted 
    opened by Hackndo 7
  • Add MirrorDump dump method

    Add MirrorDump dump method

    Hi @Hackndo!

    In this PR I'd like to bring the mirrordump dump method based on the MirrorDump awesome tool by @CCob. For quite a long time it has been my personal tool of choice for offensive engagements, and I think it should definitely be a part of your great toolkit.

    Before compiling MirrorDump a tiny modification should be made to the source code (Program.cs file) for lsassy to successfully parse the output. By default MirrorDump creates a zip file containing the dump, so the modification changes the output to raw dump bytes:

    static void SaveDump(string fileName, DumpContext dc)
    {
        using (var fileStream = new FileStream(fileName, FileMode.Create, FileAccess.ReadWrite))
        {
            fileStream.Write(dc.Data, 0, (int)dc.Size);
        }
    }
    
    ...
    
    //SaveZip(fileName, MiniDumpToMem.GetDumpContextFromHandle(MagicHandle));
    SaveDump(fileName, MiniDumpToMem.GetDumpContextFromHandle(MagicHandle));
    

    I've also made an attempt to create a module with embedded assembly of MirrorDump.exe, but I've faced the following issue: due to a relatevily big size of the assembly (Boo compiler is inside) ImpacketFile.create_file does not transfer the whole file and stops at length of 1,024 Kbytes. I suppose it has something to do with the MAX_FILE_WRITE constant (not sure).

    If you have any idea of how to corretly resolve the issue, I'll be happy to update the PR!

    Usage example:

    ~$ lsassy -vv -u administrator -p 'Passw0rd!' 10.10.13.37 -m mirrordump -O mirrordump_path=./MirrorDump.exe
    

    example

    P. S. I'm sure you will compile the project by yourself for the security purposes, but I shall attach the modified assembly in this PR as well for testing - MirrorDump.zip.

    opened by snovvcrash 6
  • Bypass antivirus

    Bypass antivirus

    Under certain circumstances (e.g. Microsoft Defender active), no dump can be performed with lsassy. This is due to the fact that the dump of the lsass.exe process is considered.

    However, the following works:

    $ psexec.py host.example.com 'tasklist /fi "imagename eq lsass.exe"'
    [CUT]
    Image Name                     PID Session Name        Session#    Mem Usage
    ========================= ======== ================ =========== ============
    lsass.exe                     1337 Services                   0     49,680 K
    [CUT]
    $ psexec.py -c procdump64.exe host.example.com '-accepteula -ma 1337 c:\lsass.dmp'
    [CUT]
    [01:23:45] Dump 1 initiated: c:\lsass.dmp
    [CUT]
    

    I don't know whether it would make sense for you to include this bypass in lsassy?

    Thanks for your awesome work! :)

    opened by viaccoz 6
  • Obfuscation-(not a bug)

    Obfuscation-(not a bug)

    First of all Great tool

    I got detected by windows defender is there any method that you guys use to bypass it?

    i give the tool a try but got flagged by windows defender latest version full patched

    opened by maibold1 5
  • pipenv shell

    pipenv shell

    Not sure if running in pipenv shell is the issue, but getting the error after a successful dump of lsass.exe:

    Detailed error : /bin/sh: 1: lsassy: not found

    Thoughts?

    wontfix 
    opened by bucky67gto 5
  • [Feature] Optionally use UNC path with `dumpertdll` module to run dumpert DLL from SMB share

    [Feature] Optionally use UNC path with `dumpertdll` module to run dumpert DLL from SMB share

    Hello! First I would like to say congratulations on the 3.0.0 release, the new improvements look awesome! I had an idea while reading some of the new dumping methods, specifically dumpertdll.

    rundll32 can run DLLs from SMB shares, they don't have to be on the disk. My idea was to run an SMB share (like with Samba or impacket-smbshare, not lsassy) and then place the dumpert DLL file in that share. You could then provide the UNC path to the dumpert DLL in the "dumpertdll_path" option, and lsassy would tell rundll32 to call the dumpert DLL from the SMB share, instead of having to upload it.

    I've had lots of luck with this method when trying to spawn sliver agents using a DLL loaded from an SMB share, and it would also prevent the OPSEC hit of having to upload the file to disk. Finally, if something goes wrong during the dump (like AV gets wind of what your doing) there is no risk of the dumpert DLL persisting after aborted execution because it couldn't be deleted.

    enhancement 
    opened by davidmckennirey 4
  • Release the DCOM Connection if WMI failed

    Release the DCOM Connection if WMI failed

    This would cause python to hang when the WMI exec method failed during the program execution (lsassy in CLI or any python code using Lsassy as a lib). That was a funny debugging afternoon 😄

    Cheers

    opened by themaks 4
  • Using lsassy on Ubuntu WSL

    Using lsassy on Ubuntu WSL

    Describe the bug Maybe not so much a bug as a desire to see if it would run in WSL. Thinking Windows store apps can be accessed by non-admin users and then install Ubuntu along with lsassy. Should this be a pull request? A little new to the game here but testing my limits.

    Expected behavior Here are my steps: Install WSL on Win10 device Install Ubuntu from Windows store Check if Python3 is installed python3 --version Install Python 3 (if needed) sudo apt install python3 Update apt-get sudo apt-get update Install netaddr sudo apt-get install -y python-netaddr Pip3 install netaddr Install pip3 sudo apt-get install python3-pip Install pypykatz pip3 install pypykatz Clone Impacket sudo git clone https://github.com/SecureAuthCorp/impacket.git cd impacket/ sudo python3 setup.py install Install lsassy sudo python3.6 -m pip install lsassy

    Screenshots

    Additional context The command and results [email protected]:/$ lsassy domain/%username%:%Password%@%FQDN_deviceName Traceback (most recent call last): File "/usr/local/bin/lsassy", line 11, in sys.exit(run()) File "/usr/local/lib/python3.6/dist-packages/lsassy/core.py", line 208, in run targets = get_targets(get_args().target) File "/usr/local/lib/python3.6/dist-packages/lsassy/utils/utils.py", line 134, in get_targets ret_targets += parse_targets(target) File "/usr/local/lib/python3.6/dist-packages/lsassy/utils/utils.py", line 101, in parse_targets t = IPRange(ip_range[0], ip_range[1]) File "/usr/local/lib/python3.6/dist-packages/netaddr/ip/init.py", line 1357, in init self._start = IPAddress(start, flags=flags) File "/usr/local/lib/python3.6/dist-packages/netaddr/ip/init.py", line 280, in init % self.class.name) ValueError: IPAddress() does not support netmasks or subnet prefixes! See documentation for details.

    opened by NtHawk101 4
  • Wait when file is not written yet

    Wait when file is not written yet

    • A task is launched to dump lsass.exe. As long as it is not finished, the dump file is non-existent or empty. This can generate STATUS_OBJECT_NAME_NOT_FOUND errors. Because of this, we have to wait until the task and the write are finished.
    • Delete dump file
    • More precise logging
    opened by viaccoz 4
  • Add collection of masterkeys

    Add collection of masterkeys

    Like the -K for kerberos tickets, the new -M stores dumped masterkeys to a file in format {GUID}:SHA1. This format of masterkeys can be use in many tools like SharpDPAPI.

    opened by zblurx 3
Releases(v3.1.6)
Owner
Pixis
Security blog author https://hackndo.com
Pixis
Uma ferramenta de segurança da informação escrita em python3,capaz de dar acesso total ao computador de alguém!

shell-reverse Uma ferramenta de segurança da informação escrita em python3, capaz de dar acesso total ao computador de alguém! A cybersecurity tool wr

Marcus Vinícius Ribeiro Andrade 1 Nov 03, 2021
A Python r2pipe script to automatically create a Frida hook to intercept TLS traffic for Flutter based apps

boring-flutter A Python r2pipe script to automatically create a Frida hook to intercept TLS traffic for Flutter based apps. Currently only supporting

Hamza 64 Oct 18, 2022
IP Denial of Service Vulnerability ")A proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability ")

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Carry 1 Nov 25, 2021
An All-In-One Pure Python PoC for CVE-2021-44228

Python Log4RCE An all-in-one pure Python3 PoC for CVE-2021-44228. Configure Replace the global variables at the top of the script to your configuratio

Alexandre Lavoie 178 Nov 09, 2022
macOS persistence tool

PoisonApple Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cy

Cyborg Security, Inc 212 Dec 29, 2022
SEBUAH TOOLS TERMUX CRACK AKUN FF HOMKI AKUN EPEP DAH SATU FOLLOW AE YA BROO AWOKWOK

print " INSTALL TOOLS " $ pkg update && upgrade $ pkg install python2 $ pkg install git $ pip2 install lolcat $ pip2 install bs4 $ pip2 install reques

Jeeck 2 Nov 29, 2021
S2-062 (CVE-2021-31805) / S2-061 / S2-059 RCE

CVE-2021-31805 Remote code execution S2-062 (CVE-2021-31805) Due to Apache Struts2's incomplete fix for S2-061 (CVE-2020-17530), some tag attributes c

warin9 31 Nov 22, 2022
Automated tool to find & created Exploit Poc for Clickjacking Vulnerability

ClickJackPoc This tool will help you automate finding Clickjacking Vulnerability by just passing a file containing list of Targets . Once the Target i

Chirag Agrawal 24 Dec 19, 2022
STATS305C: Applied Statistics III (Spring, 2022)

STATS305C: Applied Statistics III Instructor: Scott Linderman TA: Matt MacKay, James Yang Term: Spring 2022 Stanford University Course Description: Pr

Scott Linderman 14 Aug 11, 2022
:closed_lock_with_key: multi factor authentication system (2FA, MFA, OTP Server)

privacyIDEA privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you

1.3k Jan 03, 2023
Dumps the payload.bin image found in Android update images.

payload dumper Dumps the payload.bin image found in Android update images. Has significant performance gains over other tools due to using multiproces

Rasmus 7 Nov 17, 2022
Laravel RCE (CVE-2021-3129)

CVE-2021-3129 - Laravel RCE About The script has been made for exploiting the Laravel RCE (CVE-2021-3129) vulnerability. This script allows you to wri

Joshua van der Poll 21 Dec 27, 2022
exchange-ssrf-rce

Usage python3 .\exchange-exp.py -------------------------------------------------------------------------------- |

Jen 76 Nov 09, 2022
Compilation of resources and insights that helped me on my journey to data scientist

Compilation of resources and insights that helped me on my journey to data scientist

Conor Dewey 1.5k Jan 02, 2023
带回显版本的漏洞利用脚本

CVE-2021-21978 带回显版本的漏洞利用脚本,更简单的方式 0. 漏洞信息 VMware View Planner Web管理界面存在一个上传日志功能文件的入口,没有进行认证且写入的日志文件路径用户可控,通过覆盖上传日志功能文件log_upload_wsgi.py,即可实现RCE 漏洞代码

3ky7in4 24 Nov 09, 2022
A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts

log4j-scan A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts Features Support for lists of URLs. Fuzzing for more

Duc Linh Nguyen 4 Aug 08, 2022
Tinyman exploit finder - Tinyman exploit finder for python

tinyman_exploit_finder There was a big tinyman exploit. You can read about it he

fish.exe 9 Dec 27, 2022
Open-source jailbreaking tool for many iOS devices

Open-source jailbreaking tool for many iOS devices *Read disclaimer before using this software. checkm8 permanent unpatchable bootrom exploit for hund

6.7k Jan 05, 2023
Security offerings for AWS Control Tower

Caylent Security Catalyst Reference Architecture Examples This repository contains solutions for Caylent's Security Catalyst. The Security Catalyst is

Steven Connolly 1 Oct 22, 2021
Add a Web Server based on Rogue Mysql Server to allow remote user get

介绍 对于需要使用 Rogue Mysql Server 的漏洞来说,若想批量检测这种漏洞的话需要自备一个服务器。并且我常用的Rogue Mysql Server 脚本 不支持动态更改读取文件名、不支持远程用户访问读取结果、不支持批量化检测网站。于是乎萌生了这个小脚本的想法 Rogue-MySql-

6 May 17, 2022