LSASS Process
Last updated
Last updated
Administrator rights on the target machine are mandatory.
On a Windows machine, a common place to find credentials is the Local Security Authority Subsystem Service (LSASS) process (lsass.exe). The LSASS process is responsible for managing computer security operations, including user authentication.
Recovering LSASS memory is probably the most known technique to retrieve sensitive secrets and can contain the following elements:
User / Machine hashes.
Cleartext credentials (if wdigest is enabled).
Kerberos tickets (TGT and ST).
DPAPI cached keys.
When a user connects interactively to the computer, either by physically accessing the computer or via RDP, the user's credentials are cached in the LSASS process in order to use SSO (Single Sign-On) when a network connection is required to access other computers in the domain.
Be aware that remote users authenticated with NTLM or Kerberos will not leave the credentials cached on the computer (in the lsass process), as these protocols do not actually send the user's credentials to the computer (unless Kerberos delegation is enabled), but a proof, which may be an NTLM hash or a Kerberos ticket generated with the credentials. In summary, you cannot extract credentials from remote users authenticated with NTLM or Kerberos. In short, you cannot extract credentials from lsass for remote users authenticated with NTLM or Kerberos (unless the protocol/service explicitly sends them after authentication, as RDP does, but this has nothing to do with NTLM or Kerberos).
The credentials are cached by some of the SSPs (Security Support Providers) that are used by LSASS to provide different authentication methods. Some of the SSPs are as follows:
The Kerberos SSP manages Kerberos authentication and is responsible for storing Kerberos tickets and keys for currently connected users.
The NTLMSSP or MSV SSP manages NTLM authentication and is responsible for storing NT hashes for currently logged-in users. It does not cache the credentials used.
The Digest SSP implements the Digest access protocol used by HTTP applications. It is the SSP that stores the user password in clear text in order to calculate the digest. Although password caching has been disabled by default since Windows 2008 R2, it is still possible to enable password caching by setting the HKLM\SYSTEM\CurrentControlSet\SecurityProviders\WDigest\UseLogonCredential registry entry to 1 or by patching the Digest SSP directly in memory.
Therefore, if you can access the memory of the LSASS process, for which SeDebugPrivilege is required (usually held by administrators) since LSASS is a system process, you can retrieve the cached credentials. These cached credentials, therefore, include the user's NT hash, Kerberos keys and tickets, and possibly the user's passwords in clear text if WDigest is enabled. A good technique is to activate WDigest on a server that is often used to collect passwords in clear text. It is possible to to that by editing the following registry HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential to REG_DWORD - 1.
Lsassy is a tool written in Python by Pixis that can be used to remotely extract identification information from the LSASS process on several machines.
Lsassy includes several well-known dumping methods such as comsvcs.dll, ProcDump, nanodump, PPLDump, etc. Lsassy has also been integrated as a module in the NetExec tool.
Secretsdump:
CrackMapExec:
Since then, Microsoft has implemented more protection around the LSASS process. With Windows Server 2012 R2 and 8.1 there is a feature called LSA (Local Security Authority) Protection according to the following Microsoft page it is possible to run LSASS as a protected process. Here's the registry key responsible for this: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL.
While there exists a workaround, like modifying a driver or bypass the signature verification code, it had become more difficult to dump the LSASS process, but not impossible.
After the use of PPLDump, PPLMedic, the latest solution that has been found is PPLFault.