Skip to content

live lsa

Jump to bottom
skelsec edited this page Apr 22, 2021 · 3 revisions

What it does

Obtains the credentials stored in the LSASS.exe process.

Remarks

By default this command doesn't dump the kerberos tickets, you will need to supply -k switch and provide a directory.

Clarification on the handledup method

The handledup method will search for all open process handles in all processes and tests if the given handle is a process handle to LSASS. If it is then it will try to use that handle and if it succeeds then hurray, if not then it will continue with the next available handle. The handle searching does not know upfront which process has which handles, it simply requests ALL possible handles via windows API call, therefore some "bruteforcing" is needed. This method can succeed because of two possible reasons:

  • a random process has an open handle to LSASS, and you can access this random process via your debug privs
  • LSASS itself has an open handle to LSASS by default. You might ask: but then how is this different then the normal method. Well, Timmy, the reason is: to access only a process handle object in a given process you need different flags to open the process than if you'd like to read the same process' full memory. Antiviruses tend to focus on WE DEFEAT MIMIKATZ WARRGGGRGAHHH approach, so they (not all, hence you can't always win) specifically filter/block OpenProcess calls with that one specific flag value mimikatz uses. This method doesn't use that specific flag value therefore bypasses this filtering.

Requirements

Administrative privileges, OR a user account that has SE_DEBUG privilege enabled.

Subcommands

None

Switches

  • --json : Switches the output to JSON format, both in STDOUT and in FILE output modes
  • --grep or -g : Switches the output to a greppable format, both in STDOUT and in FILE output modes
  • -o : Write results to file, instead of printing it to STDOUT
  • -k : Dumps the kerberos tickets to a given folder.
  • --method : Selects which method to be used when opening the LSASS process. handledup is more stealthy but will not always work.
  • -p : Specifies which LSASS packages to parse. Default: all

Examples

  • pypykatz live lsa: Prints all credentials to STDOUT
  • pypykatz live lsa --json: Prints all credentials to STDOUT in JSON format
  • pypykatz live lsa -o <output_dir>: Writes all credentials to <output_dir>
  • pypykatz live lsa -o <output_dir> -k <kerberos_dir>: Writes all credentials to <output_dir> and dumps all tickets to <kerberos_dir>

Home

Live commands

Platform-independent commands

ConnectionURL

Clone this wiki locally