dazzyddos

dazzyddos / lsawhisper-bof

Public

A Beacon Object File (BOF) that talks directly to Windows authentication packages through the LSA untrusted/trusted client interface, without touching LSASS process memory.

258
28
69% credibility
Found Feb 22, 2026 at 144 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C
AI Summary

A collection of modules for security testers to extract Windows login keys, service tickets, and cloud session data through official channels without touching protected areas.

How It Works

1
🔍 Discover the Helper

You learn about this clever tool from security pros that lets you safely peek at login details during defense tests.

2
📥 Grab and Prep It

Download the simple files and ready them up with an easy build step for your testing gear.

3
🚀 Add to Your Setup

Slip it into your security testing beacon on the machine you're checking.

4
Choose What to Uncover
🔑
Unlock Password Keys

Pull out special keys that protect stored passwords.

🎫
View Access Tickets

List all the digital passes for network services.

☁️
Fetch Cloud Logins

Grab session cookies for online services.

5
💥 Watch It Reveal Secrets

See the tool quietly fetch the private login data without any alarms going off.

Test Complete

You now hold the details to spot weaknesses and make the system stronger.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 144 to 258 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is lsawhisper-bof?

LSAWhisper-bof is a set of Beacon Object Files (BOFs) in C for Cobalt Strike beacons, letting you query Windows authentication packages like MSV1_0, Kerberos, and CloudAP directly via the LSA client interface. It pulls DPAPI credential keys, lists and dumps Kerberos tickets as base64 .kirbi blobs, generates NTLMv1 responses, and extracts Entra ID SSO cookies—all without opening LSASS handles or reading its memory. This sidesteps PPL protections and Credential Guard, solving the problem of risky LSASS dumping during red team ops.

Why is it gaining traction?

Unlike traditional LSASS minidumps or memory scrapers that trigger EDR, these beacon object files bof use official LsaCallAuthenticationPackage APIs for stealthy authentication ops, with commands like lsa-credkey, lsa-klist, and lsa-ssocookie that output ready-to-use data (e.g., hex keys for SharpDPAPI or crack.sh hashes). Modular design means small, fast-loading BOFs for beacon object file development in Cobalt Strike, plus cross-compiled x86/x64 binaries via a simple Makefile. At 87 stars on GitHub, it hooks red teamers needing beacon object file loaders that evade detection.

Who should use this?

Red team operators running Cobalt Strike beacons on Windows targets during engagements requiring logon session credential access. Ideal for targeting user LUIDs to recover DPAPI keys from interactive sessions, dump Kerberos tickets for pass-the-ticket, or snag cloud SSO tokens on Entra ID-joined devices—especially with SeTcbPrivilege for multi-session ops.

Verdict

Grab it for Cobalt Strike beacon object files bof if you're doing LSA-based credential collection; the README's usage examples and command outputs make it dead simple despite 87 stars signaling early maturity. Credibility score of 0.699999988079071% reflects its niche focus, but battle-tested research from SpecterOps ensures reliability—compile, load, and run.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.