Skip to content

smb lsassdump command

skelsec edited this page Apr 13, 2021 · 3 revisions

What it does

Dumps and parses the LSASS remotely over SMB. LSASS dump file will be deleted after command finishes (best effort)

Remarks

Currently only taskscheduler based dumping is supported. The dumper code was taken from lsassy. It's a cool tool, check it out.

Requirements

  • A working SMB connection URL with a user that has admin right to the remote machine
  • Task scheduler service available
  • The same user can read the resulting dump file

Subcommands

None

Switches

  • url: SMB connection URL with the LSASS file's path. Please consult the Connection URL section
  • --json : Output results in JSON format
  • -g or --grep : Output results in greppable format
  • -k : Kerberos directory to write tickets there in kirbi and CCACHE format
  • --chunksize: Specifies how large each chunk should be read over SMB for the parsing
  • -p : Specifies which LSASS packages to parse. Default: all
  • -m or --method : Specifies the dump method.

Examples

  • pypykatz smb lsassfile 'smb2+ntlm-password://TEST\Administrator:[email protected]': Dumps and parses the LSASS file and outputs the results to console.
Clone this wiki locally