Skip to content

live smb lsassdump command

Jump to bottom
skelsec edited this page Apr 14, 2021 · 2 revisions

What it does

Dumps and parses the LSASS remotely over SMB. Connection is set up using the current user's context. LSASS dump file will be deleted after command finishes (best effort)

Remarks

Currently only taskscheduler based dumping is supported. The dumper code was taken from lsassy. It's a cool tool, check it out.

Requirements

  • A user that has admin rights to the remote machine
  • Task scheduler service available
  • The same user can read the resulting dump file

Subcommands

None

Switches

  • host: Target hostname or IP.
  • --json : Output results in JSON format
  • -g or --grep : Output results in greppable format
  • -k : Kerberos directory to write tickets there in kirbi and CCACHE format
  • --chunksize: Specifies how large each chunk should be read over SMB for the parsing
  • -p : Specifies which LSASS packages to parse. Default: all
  • -m or --method : Specifies the dump method.
  • -o or --outfile : Writes the secrets to the specified file

Examples

  • pypykatz live smb lsassdump win2019ad.test.corp: Dumps and parses the LSASS file and outputs the results to console.

Home

Live commands

Platform-independent commands

ConnectionURL

Clone this wiki locally