- Registry hive that stores the local account details including passwords.
- LM and NTLM hash.
- Hive encrypted using the SYSKEY.
- Protected against read while the operating system is running.
- The SYSTEM account has access.
- Keeps track of domain accounts that have logged in the computer.
- Save the last 10 connected users.
- Allows login when the DC is not reachable.
- Hashed with:
- DCCH version 1 (Windows XP and below)
- DCCH version 2 (Windows Vista and above)
- Registry key located in the SECURITY hive.
- Stores a wide variety of credentials:
- services executed with a domain account,
- Windows auto-login,
- VPN passwords.
- Passwords are encrypted.
- Password manager embedded in Windows.
- Credentials are saved in special folders called vaults that are encrypted using the DPAPI.
- Separated in two sections:
- Web Credential
- Windows Credential
- Group Policy Preferences is a GPO that allows deploying passwords on remote computers.
- Deprecated by Microsoft. Passwords were encrypted with a key common to all Windows installations (cPassword).
- GPP are stored on the SYSVOL share. Readable by any domain user.
- Contains all the Active Directory data including domain passwords.
- Encrypted with the SYSKEY.
- Protected against reading while the operating system is running but:
- the SYSTEM account has access,
- creating a Volume Shadow Copy using vssadmin allows to bypass this protection.
- Having access to the file is like being a domain admin.
- Key used to encrypt various local secret on a Windows computer.
- Password dumpers automatically retrieves it.
- API to encrypt various data.
- Uses a key derived from the user's password.
- Key element of the Microsoft domain to facilitate user life: once logged-in users do not have to re-enter passwords or credentials.
- LSASS keeps authentication material in memory.
Security Support Package (SSP)
- LSASS relies on Authentication Packages (DLLs) to properly store and verify secret material.
- Common Authentication Packages: MSV, Kerberos, TsPkg, WDigest, etc.
- Accesses the LSASS memory and dumps live secrets.
- SeDebugPrivilege is required.
- Other secrets include Kerberos tickets and PIN.
- Bruteforce, dictionary attacks.
- LM/NTLM hashes do not need to be cracked: network authentication relies on the hash, not on the clear text…
- Metasploit offers Pass-the-hash in multiple modules like
set SMBPass [lmhash]:[ntlmhash]
- Drop a binary in ADMIN$ through SMB and create a remote service that executes it.
- Can be used to deploy meterpreter.
- Network authentication protocol.
- Integrated into Windows to replace NTLM.
- Relies on the fact that clients and services share a secret with the authentication server.
- Just like hashes, Kerberos tickets are cached in memory. They are valid for 10 hours.
- They can be extracted and imported in other sessions or systems to authenticate elsewhere.
set RHOSTS [target_ip]
set user [domain_user]
set pass [domain_password]
set domain [full_domain_name] > Run
john --format=krb5tgs [hash_file]
- Allows impersonating any user on the remote service.