Credential Harvesting (Part 2)
Local Security Authority Subsystem Service (LSASS)
The Windows process known as Local Security Authority Server Service (LSASS) manages and implements the operating system security policies on a machine. It checks passwords, hashes, and Kerberos tickets and confirms accounts that are currently logged in. In order to save users from having to enter credentials each time they connect, the Windows system saves credentials in the LSASS process. This allows users to access network resources including file sharing, SharePoint sites, and other network services.
However, because it retains private data about user accounts, penetration testers find the LSASS process to be a tasty target. Credential dumps are frequently used to elevate privileges, steal data, or move laterally using the LSASS. The LSASS process memory dump requires administrator access. The Windows operating system permits the production of dump files and snapshots of certain processes. To prevent LSASS from being accessed and used to get credentials from memory, Microsoft developed an LSA protection in 2012.
Windows Credential Manager
Credential Manager is one of the Windows features to store logon-sensitive information for websites, applications, and networks. Login credentials like usernames, passwords, and internet addresses are also present in it. The four credential categories are:
- Web credentials contain authentication details stored in Internet browsers or other applications.
- Windows credentials contain Windows authentication details like NTLM or Kerberos.
- Generic credentials contain basic authentication details like clear-text usernames and passwords.
- Certificate-based credentials authenticates details based on certification.
Penetration tester can access the Windows Credential Manager via GUI or command prompt. Alternatively, a command-line built-in tool called RunAs can be used. It allows the running of Windows applications or tools under different users' permissions. It also contains the /savecred argument through which users can save his credentials in Windows Credentials Manager. Then, with Mimikatz the penetration tester can dump clear-text passwords stored in the Credential Manager from memory.
Conclusion
This part talks about some credential harvesting techniques.
Comments
Post a Comment