Skip to content

PowerShell implementation for parsing LSA (Local Security Authority) process memory dumps

License

Notifications You must be signed in to change notification settings

SySS-Research/invoke-lsaparse

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Invoke-LSAParse

PowerShell implementation for parsing LSA (Local Security Authority) memory dumps.

This PowerShell script can be used to extract user credentials (currently only NT hashes) from LSA memory dump files. Its only dependency is the executable of the Microsoft Console Debugger (cdb.exe) which is integrated into the PowerShell code by using the corresponding build script.

A tech blog article titled Extracting Secrets from LSA by Use of PowerShell about the problem of parsing LSA process memory dumps can be found on the SySS Tech Blog.

Installation

  1. Download Invoke-LSAParse
  2. Download the Microsoft Console Debugger and copy the executable file cdb.exe to the Invoke-LSAParse directory
  3. Call the PowerShell build script .\build.ps1 to create the actual Invoke-LSAParse.ps1 PowerShell script

Usage

Load the module Invoke-LSAParse in a PowerShell session, e.g. via Import-Module .\Invoke-LSAParse.ps1, and execute it using the two parameters PathToDMP (absolute path of LSA dump file) and verbose (show additional information).

Example Execution

Mode of operation

Invoke-LSAParse writes the executable cdb.exe of the Microsoft Console Debugger in the temporary directory of the current user. The Microsoft Console Debugger is used for retrieving the exact memory addresses within dump files.

After those memory addresses are known, the data structures containing cryptographic data and encrypted user credentials are parsed using PowerShell code.

Currently, Invoke-LSAParse only outputs the NT hashes of logged-in users or identities.

Limitations

The current version of Invoke-LSAParse has the following limitations:

  • Only Windows 10 LSASS process memory dumps are reliably supported.
  • Extracting cleartext passwords is currently not supported.

Author

Sebastian Hölzle, SySS GmbH, 2021

Disclaimer

Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.

About

PowerShell implementation for parsing LSA (Local Security Authority) process memory dumps

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published