Hunt for credits

Password databases

There are various authentication methods on Windows systems, each of which stores or caches the passed credentials. In this module, we will look at the main types of authentication and where transferred data is cached, and we will also look at how you can access them.

This article is presented for educational purposes only. Red Team community “GISCYBERTEAM” is not responsible for any consequences of its use by third parties.

SAM

Password hashes of all local accounts are stored in the SAM (System Account Manager) registry file. At its core, SAM is a database of accounts that can be accessed in many different ways. For example, you can save the registry hives HKLM\SYSTEM and HKLM\SAM, transfer them to your host, and use impacket-secretsdump to extract the passwords:

C:> reg save HKLM\SYSTEM SYSTEM
C:> reg save HKLM\SAM SAM

impacket-secretsdump -system SYSTEM -sam SAM

Or you can immediately dump passwords remotely:

impacket-secretsdump DOMAIN/USER:PASSWORD@TARGET_IP

We can also extract passwords using mimikatzalso having previously saved the SAM and SYSTEM files:

lsadump::sam /system:SYSTEM /sam:SAM

Or via the meterpreter shell in metasploit:

meterpreter> hashdump

Attention! To gain access to the SAM and SYSTEM files, you must have backup operator, administrator, or system privileges.

LSA and LSASS

LSA (The Local Security Authority) is a secure subsystem of Windwos that stores information about all aspects of local security.

LSASS (The Local Security Authority Subsystem Service) is a process in Windows systems that is responsible for managing various authentication mechanisms. It performs credential verification for both local and domain users and is also responsible for storing user credentials in memory.

There are many tools and techniques for dumping an LSASS process, as well as a SAM database. The most popular among them:

Newer and more advanced tools:

NTDS.DIT

The NTDS.DIT ​​file is a database located on the domain controller in the C:\Windows\NTDS\ folder. This database stores Active Directory information about users, groups, and group memberships. This database also includes password hashes of all users in the domain.

Authentication Types

Now let's look at the different types of login on Windows systems, see how events of this type of login are generated and look at how credentials for them are saved.

Interactive Logon

Interactive login is logging on to a physical machine after turning it on, or starting a process through runas:

runas /user:USER cmd.exe

In this case, if you log in with a local account, then the NT hash is entered into SAM. If the account is a domain account, then the hash is entered into lsass, and the computer will additionally verify the transmitted credentials by requesting a TGT ticket, which will be saved in the cache. The contents of the ticket cache can be viewed using the command:

klist

ID for this type of entry is 2.

NewCredentials Logon

NewCredentials Logon occurs when runas is used with the flag /netonly:

runas /user:USER cmd.exe /netonly

In this case, the passed credentials will only be used when the process needs a network connection, and until then, they will not be checked, and the process will run in the context of the current user.

ID 9 is used for this type of entry.

These credentials will also be saved by the lsass process.

Network Logon

This type of login occurs over the network when connecting to, for example, WinRM, SMB, RPC, etc. For this type of authentication we can use a password, hash or Kerberos ticket, which means with this option we can use Pass-the-Hash, Pass-the-Ticket or Pass-the-Key attacks.

During network logon, the data is not saved anywhere. This type of login is logged with ID 3.

Batch Logon

The Batch Logon type is used when running scheduled tasks under any user. This type of login is marked with ID 4

The credentials in this case are saved in lsass when the task is launched.

Remote Interactive Logon

Remote Interactive Logon is used when we connect to a remote machine via RDP. This type of logon has identifier 10

RDP uses CredSSP for authentication, so passwords are sent over the network to the remote host and cached by the lsass process.

The CredSSP (Credential Security Support Provider) protocol is a security support provider implemented through the Security Support Provider Interface (SSPI) that allows an application to delegate user credentials from a client to a target server for remote authentication.

Conclusion

Today we looked at the main types of logins in Windows and found out in what situations credentials are saved. This means that credentials are retained during Interactive Logon, Remote Interactive Logon, Batch Logon, and NewCredentials Logon. In the case of Network Logon, credentials are not cached.