Cached Credentials & LSA secrets
Intro
/!\ This is for educational purposes only, and should not be used for unauthorized access, tampering or accessed illegally without owner permission.
This page will help you to extract and manipulate the Windows Cached Credentials.
"Cached and Stored Credentials Technical Overview" from Microsoft is a must-reading to understand oh it works.
LSA secrets
LSA secrets is an area in the registry where Windows stores important information. This includes:
- Account passwords for services that are set to run by operating system users as opposed to Local System, Network Service and Local Service.
- Password used to logon to Windows if auto-logon is enabled or, generally, the password of the user logged to the console (DefaultPassword entry).
Tools to extract Windows Credentials & LSA secrets
These tools will extract cached credentials and LSA secrets from the Regsitry and/or from lsass.exe process. Thus, they can be considered as 'hacking tools' and blocked by some Antivirus. Use at your own risks !
Creddump
creddump is a python tool to extract various credentials and secrets from Windows registry hives. It currently extracts:
- LM and NT hashes (SYSKEY protected)
- Cached domain passwords
- LSA secrets
CacheDump
CacheDump will create a CacheDump NT Service to get SYSTEM right and make his stuff on the registry. Then, it will retrieve the LSA Cipher Key to decrypt (rc4/hmac_md5 GloubiBoulga) cache entries values.
QuarksPwdump
quarkspwdump is a native Win32 tool to extract credentials from Windows operating systems. It currently extracts :
- Local accounts NT/LM hashes + history
- Domain accounts NT/LM hashes + history
- Cached domain password
- Bitlocker recovery information (recovery passwords & key packages)
gsecdump
gsecdump extracts hashes from SAM/AD and active logon sessions.
It can also extract LSA secrets. Works for both x86 and x64. Windows 2000 - 2008.
mimikatz
mimikatz can, among other things, extract hashes and other cendentials stored in memory and in registry.
Check papers for more informationn : http://blog.gentilkiwi.com/presentations
Remove stored passwords, certificates, and other credentials
Windows 7 and upper
- Open User Accounts by clicking the Start button Picture of the Start button, clicking Control Panel, clicking User Accounts and Family Safety (or clicking User Accounts, if you are connected to a network domain), and then clicking User Accounts.
- In the left pane, click Manage your credentials.
- Click the vault that contains the credential that you want to remove.
- Click the credential that you want to remove, and then click Remove from vault.
Windows XP and lower
You can run this command :
rundll32.exe keymgr.dll,KRShowKeyMgr
Note
Related article : How to extract hashes and crack Windows Passwords