LSA Secrets

By /


Windows NT and Windows 2000 support cached logon accounts. The operating system
default is to cache (store locally), the last 10 passwords. There are registry settings to turn this feature
off or restrict the number of accounts cached. RAS DUN account names and
passwords are stored in the registry. Service account passwords are stored in
the registry. The password for the computers secret account used to communicate
in domain access is stored in the registry. FTP passwords are stored in the
registry. All these secrets are stored in the following registry key:

Hive: HKEY_LOCAL_MACHINE
Key: SECURITY\Policy\Secrets

Can you imagine the hacker’s reaction when they see that registry name? Go
ahead. Start up regedt32 while logged in as administrator. Check out the
HKLM\SECURITY key. OPPS! Its grayed out. Even with admin access you can’t browse
it. OK. Admins can’t see it but we know the localsystem must be able to read it.
To view portions of the registry restricted to localsystem, you have to get
localsystem to start up regedt32 for you. How?

soon regedt32 /i

The soon utility is part of the Resource Kit. It is an easy way to
schedule events. If you don’t have access to the resource kit, you can use the
AT command (where 02:12 is a minute or two in the future):

AT 02:12 regedt32 /i

The /i parm says to allow the service to interactive with the
desktop, that is, make the command being run available to the desktop. When you
run this command, you will find that the HKLM\Secrets key is no longer greyed
out and you can explore and view contents. Be very careful. You can severly
damage your system.

There is a tool, lsadump2 , to read the LSA Secrets and display the juicy bits.
The results when I ran it on my home system:

D:\dnload\lsadump2>lsadump2

RasCredentials!S-1-5-21-459157917-1707938598-1849977318-500#0

 39 00 39 00 30 00 36 00 32 00 00 00 31 00 36 00  9.9.0.6.2…1.6.

 30 00 30 00 00 00 35 00 00 00 00 00 00 00 77 00  0.0…5…….w.

 6D 00 61 00 70 00 6C 00 65 00 73 00 00 00 00 00  m.a.p.l.e.s…..

 00 00 30 00 00 00 00 00                          ..0…..

RasDialParams!S-1-5-21-459157917-1707938598-1849977318-500#0

 39 00 39 00 30 00 36 00 32 00 00 00 31 00 36 00  9.9.0.6.2…1.6.

 30 00 30 00 00 00 36 00 33 00 00 00 00 00 2A 00  0.0…6.3…..*.

 00 00 77 00 6D 00 61 00 70 00 6C 00 65 00 73 00  ..w.m.a.p.l.e.s.

 00 00 77 00 77 00 77 00 77 00 77 00 77 00 77 00  ..w.w.w.w.w.w.w.

 31 00 00 00 00 00 31 00 00 00 00 00              1…..1…..

SAC

 02 00 00 00                                      ….

SAI

 02 00 00 00                                      ….

_SC_ClipSrv

 74 00 65 00 73 00 74 00                          t.e.s.t.
Ouch! it gives my dialup account name, wmaples, and my DUN
password, wwwwwww1 as well as the password used for the service ClipBook Server.
As you can imagine, the amount and sensitivity of the information revealed when
run against a server or a domain admins workstation is signficantly higher. I
hear your comment. You need console access (keyboard) to run the command and our
servers are physically secured.

But are you really safe? Are all of your servers well secured? What about
that test server in the admin’s office or in the test lab or office corner? Does
the domain admin keep his door locked or at least runs a password protected
screen saver to prevent a hacker or curious co-worker from running lsadump2 on
his workstation while he/she is on break? What about the shared laptop which
incidently shares domain passwords if lsadump2 is used?

Service accounts often are run using a powerful domain level account. This
account and its password can be found on many servers. Break through the
security barriers on the least protected and grab that domain account’s password
and you have the keys to the city. Sound pretty grim. It is. You need to
carefully consider what services are running and whether the account is a local
account or a domain account. If it is a domain account, restrict it to the boxes
it must run on (if possible).

Bottom line: if you haven’t had a penetration testing team do a full-scope
test against your environment, your security posture if certainly much worse
than you can imagine.

Background on lsadump2: LSAdump2 uses DLL injection to bypass the normal
access control on security information stored by the Local Security Authority
(LSA) in a form called LSA Secrets ( Q184017 and Q230681 ). The important thing to realize about LSA Secrets is
that it potentially contains passwords for accounts that logon from external
domains, as well as Dial-up Networking passwords. Like pwdump2, lsadump2 can be
an eye-opening audit tool for those that think they run a tight environment. All
it takes is the compromise of one poorly-secured system with an external logon
account, and intruders can island-hop into the external domain.

Start perusing my Tips for NT Administrators in the area of
Penetration Testing, Hacking, and Intrusion Detection for background
information.

About The Author

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top