LSASS BREAKDOWN WITH TOOLS
Jitu Mani Das (CISM CISSP)
Cyber Security Expert (IT and OT/ICS) | Cloud Solution Architect | Security Operations | Enterprise & Critical Infrastructure Security Architecture & Design | IT and OT SOC Design & Built | FORENSICS
LSASS is the process responsible for authenticating local and domain users in Windows. Also, his responsibilities include generating security tokens for active user sessions and working with SSP security support providers.
Below is a selection of utilities that can be used to extract cleartext passwords or NT hashes for further attack.
?? Lsassy
(https://github.com/Hackndo/lsassy) In addition to uploading credentials, Lsassy has the ability to upload tickets in kirbi format. Uses impacket to remotely read required bytes in lsass dump and pypykatz to extract credentials.
?? Nanodump
(https://github.com/helpsystems/nanodump)A flexible tool that creates a minidump of the lsass process in a variety of ways.
?? RIPPL
(https://github.com/last-byte/RIPPL)Can interact with Protected Process Light (PPL) protected processes, bypassing the system kernel.
?? PPLdump
(https://github.com/itm4n/PPLdump)It also has the ability to control processes using the DefineDosDeviceAPI functions to execute arbitrary code inside PPL.
?? Mimikatz
(https://github.com/gentilkiwi/mimikatz) The classic version allows you to process lsass without saving a dump to disk.
??Pypykatz
领英推荐
(https://github.com/skelsec/pypykatz) Implementation of mimikatz in python >= 3.6
??Handlekatz
(https://github.com/codewhitesec/HandleKatz)Clones lsass handles and pulls MiniDumpWriteDumpA taken from ReactOS to create an obfuscated dump. Allocates very little executable memory, so it can be perfectly combined with DLL-Hollowing.
?? Sharpdump
(https://github.com/GhostPack/SharpDump)Out-Minidump.ps1 in a C# wrapper
Uses MiniDumpWriteDump win32API call to create the actual memory dump.
?? Physmem2profit
(https://github.com/WithSecureLabs/physmem2profit)The utility is used to create a mini-dump of the target host's LSASS process by remotely analyzing physical memory, which can be further analyzed using Mimikatz.
??MirrorDump
Uses the MiniHook and SharpDisasm projects to call internal MiniDumpWriteDump APIs. It also combines Boo.Lang and DLLExport to generate LSA SSP authentication and load it into LSASS memory.
??Procdump
(https://docs.microsoft.com/en-us/sysinternals/downloads/procdump)A Windows Sysinternals utility that allows you to take a snapshot of the memory of an LSASS process.