Credential Dumping: Local Security Authority (LSA|LSASS.EXE)

LSA and LSASS stands for “Local Security Authority” And “Local Security Authority Subsystem (server) Service”, respectively

The Local Security Authority (LSA) is a protected system process that authenticates and logs users on to the local computer. Domain credentials are used by the operating system and authenticated by the Local Security Authority (LSA). The LSA can validate user information by checking the Security Accounts Manager (SAM) database located on the same computer.

The LSA is a user-mode process (LSASS.EXE) used to stores security information of a system known as the Local Security Policy. The LSA maintains local security policy information in a set of objects.

  • The policy contains global policy information.
  • TrustedDomain contains information about a trusted domain.
  • The account contains information about a user, group, or local group account.
  • Private Data contains protected information, such as server account passwords. This information is stored as encrypted strings.

LSASS manages the local system policy, user authentication, and auditing while handling sensitive security data such as password hashes and Kerberos keys. The secret part of domain credentials, the password, is protected by the operating system. Only code running in-process with the LSA can read and write domain credentials.

LSASS can store credentials in multiple forms, including:

  • Reversibly encrypted plaintext
  • Kerberos tickets (ticket-granting tickets (TGTs), service tickets)
  • NT hash
  • LAN Manager (LM) hash

LSA (LSASS.EXE) Credential Dumping Walkthrough

Required Tools or Scripts: Mimikatz.exe & Mimikatz.ps1, Procdump PowerShell Empire, Koadic, Metasploit

Host Machine: In the context of lsass.exe Windows 7 & for LSA Windows 10

Table of Content

  • Windows 7 (lsass.exe) Credential Dump using Mimikatz
  • Windows 10 (LSA) Credential Dump using Mimikatz
  • PowerShell Empire
  • Koadic
  • Metasploit
  • CrackMapExec

Windows 7 (lsass.exe) Credential Dump using Mimikatz

Method 1: Task manager

In your local machine (target) and open the task manager, navigate to processes for exploring running process of lsass.exe and make a right-click to explore its snippet.  Choose “Create Dump File” option which will dump the stored credential.

You will get the “lsass.DMP” file inside the /Temp directory of the user account directory under /AppData/local

Now start mimikatz to get the data out of the DMP file using the following command:

As you can see from the image below, we have a clear text password.

Method 2: ProcDump

The ProcDump tool is a free command-line tool published by Sysinternals whose primary purpose is monitoring an application and generating memory dumps.

Use the “-accepteula” command-line option to automatically accept the Sysinternals license agreement and “-ma” Parameter to write a dump file with all process memory (lsass.exe) in a .dmp format.

Again, repeat the same step and use mimikatz to read the mem.dmp file.

And now, as you can see from the image below, we’ve got a clear-text password.

Method 2: comsvcs.dll

The comsvcs.dll DLL found in Windows\system32 that call minidump with rundll32, so you can use it to dump the Lsass.exe process memory to retrieve credentials. Let’s identify the process ID for lsass before running the DLL.

Again, repeat the same step and use mimikatz to read the mem.dmp file.

Again, we’ve got a clear-text password.

Windows 10 (LSA) Credential Dump

Method 1: Task manager

The Lsass.exe is renamed as LSA in Windows 10 and process can be found by the name of “Local Security Authority” inside the task manager.  It will also save the dump file in .dmp format so, again repeat the same steps as done above.

Go to the Task Manager and explore the process for Local Security Authority, then extract its dump as shown.

You will get the “lsass.DMP” file inside the /Temp directory of the user account directory under /AppData/local.

Again, repeat the same step and use mimikatz to read the dmp file.

Since it was Windows 10 therefore, the level of security get increases and we have obtained the password hashes, as you can see from the given below image.

Method 2: Mimikatz parameter -patch

The “-patch” parameter is patching the samsrv.dll running inside lsass.exe which displays LM and NT hashes. So, you when you will execute the following commands it will dump the password hashes.

Method3: Mimikatz – Token Elevation

We are using mimikatz once again to get the hashes directly, without involving any dump file or DLL execution this is known as “Token Impersonation”. As you can observe, we got an error when we try to run following command as a local user.

This can be done by impersonate a token that will be used to elevate permissions to SYSTEM (default) or find a domain admin token and as the result, you will able to dump the password in clear-text.

Method 4: Editing File Permission in the Registry

The LSA secrets are held in the Registry. If services are run as local or domain user, their passwords are stored in the Registry. If auto-logon is activated, it will also store this information in the Registry.

This can be done also done locally by changing permission values inside the registry. Navigate to Computer\HKEY_LOCAL_MACHINE\SECURITY.

Expand the SECURITY folder and choose permissions from inside the list.

Allow “Full Control” to the Administrator user as shown.

As you can observe that this time, we are able to fetch sub-folders under Security directories.

So, once you run the following command again, you can see the credential in the plain text as shown.

Method 5: Save privilege File of the Registry

Similarly, you can use another approach that will also operate in the same direction. Save system and security registry values with the help of the following command.

As you can see if you use  the “lsa::secrets” command without a specified argument, you will not be able to retrieve the password, but if you enter the path for the file described above, mimikatz will dump the password in plain text.

PowerShell Empire

Empire is one of the good Penetration Testing Framework that works like as Metasploit, you can download it from GitHub and install in your attacking machine in order to launch attack remotely.

This is a post exploit, thus first you need to be compromised the host machine and then use the following module for LSA secrets dumps

As a result, it dumps password hashes saved as shown in the given image.

Koadic

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. It allows the attacker to run comsvcs.dll that will call the minidump and fetch the dump of lsass.exe to retrieve stored NTLM hashes. Read more from here

As a result, it dumped the password hashes saved as shown in the given image.

Metasploit

Method1: Load kiwi

As we all know Metasploit is like the Swiss Knife, it comes with multiple modules thus it allows the attacker to execute mimikatz remotely and extract the Lsass dump to fetch the credentials. Since it is a post-exploitation thus you should have meterpreter session of the host machine at Initial Phase and then load kiwi in order to initialise mimikatz and execute the command.

Method2: Load powershell

Similarly, you can also load PowerShell in the place of kiwi and perform the same operation, here we are using PowerShell script of mimikatz. This can be done by executing the following commands:

This will be dumping the password hashes as shown in the below image.

CrackMapExec

CrackMapExec is a really sleek tool that can be installed with a simple apt install and it runs very swiftly. LSA has access to the credentials and we will exploit this fact to harvest the credentials with this tool so we will manipulate this script to dump the hashes as discussed previously. It requires a bunch of things.

Requirements:

Username: Administrator

Password: [email protected]

IP Address: 192.168.1.105

Syntax: crackmapexec smb [IP Address] -u ‘[Username]’ -p ‘[Password]’ –lsa

Read More: Lateral Moment on Active Directory: CrackMapExec

Conclusion: In this post, you learned about Windows LSA Protection and its working along with its multiple techniques to exploit in context to get clear text passwords or hashes. Most of the attacks replaced the original lsass.exe from malware lsass.exe to make deceive the security monitors.

Reference:

Credentials Processes In Windows Authentication

LSA Policy Objects

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contachere

Leave a Reply

Your email address will not be published. Required fields are marked *