Credential Access
Last updated
Last updated
Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.
LSA On Windows hosts, LSA handles authentication for users. It contains sensitive information that pentesters want to target, such as PC users’ cleartext passwords, service account passwords, Internet Explorer passwords, etc (we need SYSTEM privileges to dump this). But modern versions of Windows do not store domain users’ NTLM hashes as LSA secrets. Instead, Windows employs a subsystem process known as LSASS to handle it. So, it is always worth dumping LSA secrets, but not usually as valuable as LSASS.
LSASS LSASS is a sub-system process of the Windows LSA service (it is a sub-system rather than a sub-process because it runs globally). LSASS stores credential information such as NTLM hashes and even cleartext passwords for domain users. You will need local admin rights to dump LSASS on a host. This is where you make your money on most internal engagements, as you can dump passwords, use them to pivot, and repeat until you hopefully find a domain administrator hash. You can use many tools to do this, such as Lsassy, Mimikatz, PyPyKatz, ProcDump or even the Task Manager.
SAM The SAM file contains the password hashes of LOCAL users on a Windows host. This is useful for maintaining access to a single Windows computer, but usually not helpful when it comes to lateral movement since you will need passwords for DOMAIN users who can authenticate across the network, rather than to one host. However, Admin passwords are sometimes reused for domain users, so it is worth dumping as well.
DCSync
Impersonates a domain controller and requests a specific user’s NTLM password hash. We need the ‘Directory Services Replication’ privilege. By default, the necessary permissions are limited to Domain Admins, Enterprise Admins, and Network Administrator groups. This basically means that this attack is useful for persistence once you already pwned a domain, or if you get lucky and find a shadow administrator account on the network with domain replication permissions. Linkedin Content Credit: Jake Murphy