Pages

Tuesday, April 17, 2012

LSA Secrets

What are LSA Secrets

LSA secrets is a special protected storage for important data used by the Local Security Authority (LSA) in Windows. LSA is designed for managing a system's local security policy, auditing, authenticating, logging users on to the system, storing private data.

Where are stored

This "secret" information is stored in an encrypted format at system location in the registry (in HKLM\SECURITY\Policy\Secrets). Normally these registry keys are not visible even if you run regedit as administrator. The permissions for this key show that only the SYSTEM account has access to this key. There are some possibilities to access them though (granting read permission from regedit to the Admnistrator account didn't work for me, maybe because it didn't apply for the sub-keys,  I don't know):
  • Run a command prompt from task scheduler. A scheduled task will run in the context of the Task Scheduler service's account, being SYSTEM. A new task can be scheduled with the command:
at 09:45 /INTERACTIVE cmd.exe

and will appear in c:\WINDOWS\Tasks folder. 

In the new command prompt opened at hour 09:45 for example, if you run regedit now will be under SYSTEM user (this can be checked in Process Explorer, or with the following command line:

tasklist /FI "USERNAME eq NT AUTHORITY\SYSTEM"
  • A second option would be to use PsExec tool from SysInternals, that is used to execute programs on remote systems, with the -s flag (Run the remote process in the System account):  
psexec -s cmd

And in the new cmd opened under system account query for registry keys, like:

reg query HKEY_LOCAL_MACHINE\SECURITY\policy
  • A third approach would be a programmatic access to LSA secrets, described in the next section, that allows also creating new entries.

Programmatic approach

  • There are already some utilities to view secrets stored by LSA ([1], [2], [3]
  • and also details on how to access them using some deprecated (but still working!) API (LsaStorePrivateData/LsaRetrievePrivateData) on [4] and [5]
  • I've also written 2 small utilities(code here) to test how to add new secrets (key + value) and read them.

Getting current login password

Each secret (key) in HKLM\SECURITY\Policy\Secrets contains the data in CurrVal sub-key. For example on systems with auto logon enabled, there is a key DefaultPassword that contains the password cached. For some reasons this key already exists (with the password also) even on some systems without auto logon (I had that key on a Windows XP SP3, and I have never had auto login, so I couldn't find out why and when this key is created). 
A method to (try  to) get the logon password (used by lots of tools also) is to query the value from DefaultPassword key.
After building LsaSecretRead from [6]  ( nmake LsaSecretRead ) it's easy:

LsaSecretRead.exe DefaultPassword

References


  1. Oxid.it LSA Secrets Dumper
  2. Nirsoft LSASecretsDump
  3. Nirsoft LSASecretsView
  4. Insecure.org NT LSA Secrets
  5. Discovering Windows Default Password Using LsaRetrievePrivateData
  6. Secrets google code project

No comments:

Post a Comment