-
Notifications
You must be signed in to change notification settings - Fork 386
live lsa
Obtains the credentials stored in the LSASS.exe process.
By default this command doesn't dump the kerberos tickets, you will need to supply -k
switch and provide a directory.
The handledup
method will search for all open process handles in all processes and tests if the given handle is a process handle to LSASS. If it is then it will try to use that handle and if it succeeds then hurray, if not then it will continue with the next available handle.
The handle searching does not know upfront which process has which handles, it simply requests ALL possible handles via windows API call, therefore some "bruteforcing" is needed.
This method can succeed because of two possible reasons:
- a random process has an open handle to LSASS, and you can access this random process via your debug privs
- LSASS itself has an open handle to LSASS by default. You might ask: but then how is this different then the
normal
method. Well, Timmy, the reason is: to access only aprocess handle object
in a given process you need different flags to open the process than if you'd like to read the same process' full memory. Antiviruses tend to focus onWE DEFEAT MIMIKATZ WARRGGGRGAHHH
approach, so they (not all, hence you can't always win) specifically filter/block OpenProcess calls with that one specific flag valuemimikatz
uses. This method doesn't use that specific flag value therefore bypasses this filtering.
Administrative privileges, OR a user account that has SE_DEBUG privilege enabled.
None
-
--json
: Switches the output to JSON format, both in STDOUT and in FILE output modes -
--grep
or-g
: Switches the output to a greppable format, both in STDOUT and in FILE output modes -
-o
: Write results to file, instead of printing it to STDOUT -
-k
: Dumps the kerberos tickets to a given folder. -
--method
: Selects which method to be used when opening the LSASS process.handledup
is more stealthy but will not always work. -
-p
: Specifies which LSASS packages to parse. Default:all
-
pypykatz live lsa
: Prints all credentials to STDOUT -
pypykatz live lsa --json
: Prints all credentials to STDOUT in JSON format -
pypykatz live lsa -o <output_dir>
: Writes all credentials to<output_dir>
-
pypykatz live lsa -o <output_dir> -k <kerberos_dir>
: Writes all credentials to<output_dir>
and dumps all tickets to<kerberos_dir>