LSA secrets is an area in the registry where Windows stores important information. This includes:
- Account passwords for services that are set to run by operating system users as opposed to Local System, Network Service and Local Service.
- Password used to logon to Windows if auto-logon is enabled or, generally, the password of the user logged to the console (DefaultPassword entry).
LSA secrets are stored in registry hive HKEY_LOCAL_MACHINE/Security/Policy/Secrets. Each secret has its own key. The parent key, HKEY_LOCAL_MACHINE/Security/Policy, contains the data necessary for accessing and decoding the secrets.
Tools to extract Windows Credentials & LSA secrets
These tools will extract cached credentials and LSA secrets from the Regsitry and/or from lsass.exe process. Thus, they can be considered as 'hacking tools' and blocked by some Antivirus. Use at your own risks !
creddump is a python tool to extract various credentials and secrets from Windows registry hives. It currently extracts:
- LM and NT hashes (SYSKEY protected)
- Cached domain passwords
- LSA secrets
It essentially performs all the functions that bkhive/samdump2, cachedump, and lsadump2 do, but in a platform-independent way.
It is also the first tool that does all of these things in an offline way (actually, Cain & Abel does, but is not open source and is only available on Windows).
CacheDump will create a CacheDump NT Service to get SYSTEM right and make his stuff on the registry. Then, it will retrieve the LSA Cipher Key to decrypt (rc4/hmac_md5 GloubiBoulga) cache entries values.
quarkspwdump is a native Win32 tool to extract credentials from Windows operating systems. It currently extracts :
- Local accounts NT/LM hashes + history
- Domain accounts NT/LM hashes + history
- Cached domain password
- Bitlocker recovery information (recovery passwords & key packages)
Supported OS : XP/2003/Vista/7/2008/8
gsecdump extracts hashes from SAM/AD and active logon sessions.
It can also extract LSA secrets. Works for both x86 and x64. Windows 2000 - 2008.
Cain is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.
mimikatz can, among other things, extract hashes and other cendentials stored in memory and in registry.
Check papers for more informationn : http://blog.gentilkiwi.com/presentations
Remove stored passwords, certificates, and other credentials
Windows 7 and upper
- Open User Accounts by clicking the Start button Picture of the Start button, clicking Control Panel, clicking User Accounts and Family Safety (or clicking User Accounts, if you are connected to a network domain), and then clicking User Accounts.
- In the left pane, click Manage your credentials.
- Click the vault that contains the credential that you want to remove.
- Click the credential that you want to remove, and then click Remove from vault.
Windows XP and lower
You can run this command :
Related article : How to extract hashes and crack Windows Passwords