LSA Secrets

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows NT and Windows 2000 support cached logon accounts. The operating system default is to cache (store locally), the last 10 passwords. There are registry settings to turn this feature off or restrict the number of accounts cached. RAS DUN account names and passwords are stored in the registry. Service account passwords are stored in the registry. The password for the computers secret account used to communicate in domain access is stored in the registry. FTP passwords are stored in the registry. All these secrets are stored in the following registry key:

Hive: HKEY_LOCAL_MACHINE
Key: SECURITY\Policy\Secrets

Can you imagine the hacker's reaction when they see that registry name? Go ahead. Start up regedt32 while logged in as administrator. Check out the HKLM\SECURITY key. OPPS! Its grayed out. Even with admin access you can't browse it. OK. Admins can't see it but we know the localsystem must be able to read it. To view portions of the registry restricted to localsystem, you have to get localsystem to start up regedt32 for you. How?

soon regedt32 /i

The soon utility is part of the Resource Kit. It is an easy way to schedule events. If you don't have access to the resource kit, you can use the AT command (where 02:12 is a minute or two in the future):

AT 02:12 regedt32 /i

The /i parm says to allow the service to interactive with the desktop, that is, make the command being run available to the desktop. When you run this command, you will find that the HKLM\Secrets key is no longer greyed out and you can explore and view contents. Be very careful. You can severly damage your system.

There is a tool, lsadump2 , to read the LSA Secrets and display the juicy bits. The results when I ran it on my home system:

D:\dnload\lsadump2>lsadump2
RasCredentials!S-1-5-21-459157917-1707938598-1849977318-500#0
 39 00 39 00 30 00 36 00 32 00 00 00 31 00 36 00  9.9.0.6.2...1.6.
 30 00 30 00 00 00 35 00 00 00 00 00 00 00 77 00  0.0...5.......w.
 6D 00 61 00 70 00 6C 00 65 00 73 00 00 00 00 00  m.a.p.l.e.s.....
 00 00 30 00 00 00 00 00                          ..0.....
RasDialParams!S-1-5-21-459157917-1707938598-1849977318-500#0
 39 00 39 00 30 00 36 00 32 00 00 00 31 00 36 00  9.9.0.6.2...1.6.
 30 00 30 00 00 00 36 00 33 00 00 00 00 00 2A 00  0.0...6.3.....*.
 00 00 77 00 6D 00 61 00 70 00 6C 00 65 00 73 00  ..w.m.a.p.l.e.s.
 00 00 77 00 77 00 77 00 77 00 77 00 77 00 77 00  ..w.w.w.w.w.w.w.
 31 00 00 00 00 00 31 00 00 00 00 00              1.....1.....
SAC
 02 00 00 00                                      ....
SAI
 02 00 00 00                                      ....
_SC_ClipSrv
 74 00 65 00 73 00 74 00                          t.e.s.t.

Ouch! it gives my dialup account name, wmaples, and my DUN password, wwwwwww1 as well as the password used for the service ClipBook Server. As you can imagine, the amount and sensitivity of the information revealed when run against a server or a domain admins workstation is signficantly higher. I hear your comment. You need console access (keyboard) to run the command and our servers are physically secured.

But are you really safe? Are all of your servers well secured? What about that test server in the admin's office or in the test lab or office corner? Does the domain admin keep his door locked or at least runs a password protected screen saver to prevent a hacker or curious co-worker from running lsadump2 on his workstation while he/she is on break? What about the shared laptop which incidently shares domain passwords if lsadump2 is used?

Service accounts often are run using a powerful domain level account. This account and its password can be found on many servers. Break through the security barriers on the least protected and grab that domain account's password and you have the keys to the city. Sound pretty grim. It is. You need to carefully consider what services are running and whether the account is a local account or a domain account. If it is a domain account, restrict it to the boxes it must run on (if possible).

Bottom line: if you haven't had a penetration testing team do a full-scope test against your environment, your security posture if certainly much worse than you can imagine.

Background on lsadump2: LSAdump2 uses DLL injection to bypass the normal access control on security information stored by the Local Security Authority (LSA) in a form called LSA Secrets ( Q184017 and Q230681 ). The important thing to realize about LSA Secrets is that it potentially contains passwords for accounts that logon from external domains, as well as Dial-up Networking passwords. Like pwdump2, lsadump2 can be an eye-opening audit tool for those that think they run a tight environment. All it takes is the compromise of one poorly-secured system with an external logon account, and intruders can island-hop into the external domain.

Start perusing my Tips for NT Administrators in the area of Penetration Testing, Hacking, and Intrusion Detection for background information.

Featured Links