-
Notifications
You must be signed in to change notification settings - Fork 384
smb lsassdump command
skelsec edited this page Apr 13, 2021
·
3 revisions
Dumps and parses the LSASS remotely over SMB. LSASS dump file will be deleted after command finishes (best effort)
Currently only taskscheduler based dumping is supported. The dumper code was taken from lsassy
. It's a cool tool, check it out.
- A working SMB connection URL with a user that has admin right to the remote machine
- Task scheduler service available
- The same user can read the resulting dump file
None
-
url
: SMB connection URL with the LSASS file's path. Please consult theConnection URL
section -
--json
: Output results in JSON format -
-g
or--grep
: Output results in greppable format -
-k
: Kerberos directory to write tickets there inkirbi
andCCACHE
format -
--chunksize
: Specifies how large each chunk should be read over SMB for the parsing -
-p
: Specifies which LSASS packages to parse. Default:all
-
-m
or--method
: Specifies the dump method.
-
pypykatz smb lsassfile 'smb2+ntlm-password://TEST\Administrator:[email protected]'
: Dumps and parses the LSASS file and outputs the results to console.