Skip to content

lsa minidump command

Jump to bottom
skelsec edited this page Apr 16, 2021 · 1 revision

What it does

Obtains credentials stored in minidump files (of the LSASS process)

Remarks

  • By default this command doesn't dump the kerberos tickets, you will need to supply -k switch and provide a directory.
  • Mindiump file MUST be created with full memory dump options.

Requirements

None

Subcommands

None

Switches

  • --json : Switches the output to JSON format, both in STDOUT and in FILE output modes
  • --grep or -g : Switches the output to a greppable format, both in STDOUT and in FILE output modes
  • -o : Write results to file, instead of printing it to STDOUT
  • -k : Dumps the kerberos tickets to a given folder.
  • -d : Indicates that the input file is in fact a directory to parse ALL files from as minidump files. Allows mass-parsing. Works with the minidump command only.
  • -r : Tries to parse all files in all subfolders of the input folder. minidump command only.
  • -e : If -d is active, this switch makes parsing stop on the first error encountered.
  • -p : Specifies which LSASS packages to parse. Default: all

Examples

  • pypykatz lsa minidump <input_file> : Parses the input minidump file and prints all credentials to STDOUT
  • pypykatz lsa minidump <input_file> --json : Parses the input minidump file and prints all credentials to STDOUT in JSON format
  • pypykatz lsa minidump <input_path> -d -o <output_file>: Parses all files in a folder as mindiump file and writes all credentials to <output_file>
  • pypykatz lsa minidump <input_file> -k <kerb_dir> : Parses the input minidump file and prints all credentials to STDOUT, also dumps all kerberos tickets in KIRBI format to the kerb_dir folder

Home

Live commands

Platform-independent commands

ConnectionURL

Clone this wiki locally