Attacking SAM & LSASS
Attacking SAM
With access to a non-domain joined Windows system, we may benefit from attempting to quickly dump the files associated with the SAM database to transfer them to our attack host and start cracking hashes offline.
There are three registry hives that we can copy if we have local admin access on the target ->
Registry Hive | Description |
---|---|
| Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext. |
| Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database. |
| Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target. |
We can create backups of these hives using the reg.exe
utility.
Once the hives are saved offline, we can use various methods to transfer them to our attack host. In this case, let's use Impacket's smbserver.py
Once we have the share running on our attack host, we can use the move
command on the Windows target to move the hive copies to the share.
And then once everything is on the attackbox we can dump it using secretsdump ->
we can copy the NT hashes associated with each user account into a text file and start cracking passwords.
and in hashcat ->
Remote Dumping
Using crackmapexec (better to use netexec but in the course it will be cme) we can extract credentials from a running service, scheduled task, or application that uses LSA secrets to store passwords.
Dumping SAM Remotely
Apply the concepts taught in this section to obtain the password to the ITbackdoor user account on the target. Submit the clear-text password as the answer.
Dump the LSA secrets on the target and discover the credentials stored. Submit the username and password as the answer.
Attacking LSASS
LSASS is a critical service that plays a central role in credential management and the authentication processes in all Windows operating systems.
LSASS will:
Cache credentials locally in memory
Create access tokens
Enforce security policies
Write to Windows security log
With access to an interactive graphical session with the target, we can use task manager to create a memory dump.
And a file will be created here ->
And we can transfer the file to our local machine just like the sam one.
Rundll32
We can use an alternative method to dump LSASS process memory through a command-line utility called rundll32.exe. This way is faster than the Task Manager method and more flexible because we may gain a shell session on a Windows host with only access to the command line.
we must determine what process ID (PID
) is assigned to lsass.exe
throught cmd or powershell
CMD:
Powershell:
And then we can use rundll ->
we are running rundll32.exe
to call an exported function of comsvcs.dll
which also calls the MiniDumpWriteDump (MiniDump
) function to dump the LSASS process memory to a specified directory (C:\lsass.dmp
) and we can transfer that file to attackbock just like the others.
Pypykatz to Extract Credentials
Now that we have our dmp file we can use pypykatz to attempt to extract credentials from the .dmp file.
The output will looksomething like this ->
Now we can use Hashcat to crack the NT Hash.
Apply the concepts taught in this section to obtain the password to the Vendor user account on the target. Submit the clear-text password as the answer.
Last updated