Windows Local Password Attacks
Windows Password management
LSASS
Local Security Authority Subsystem Service (
LSASS) is a collection of many modules and has access to all authentication processes that can be found in%SystemRoot%\\System32\\Lsass.exe. This service is responsible for the local system security policy, user authentication, and sending security audit logs to theEvent log.
| Authentication Packages | Description |
|---|---|
Lsasrv.dll | The LSA Server service both enforces security policies and acts as the security package manager for the LSA. The LSA contains the Negotiate function, which selects either the NTLM or Kerberos protocol after determining which protocol is to be successful. |
Msv1_0.dll | Authentication package for local machine logons that don't require custom authentication. |
Samsrv.dll | The Security Accounts Manager (SAM) stores local security accounts, enforces locally stored policies, and supports APIs. |
Kerberos.dll | Security package loaded by the LSA for Kerberos-based authentication on a machine. |
Netlogon.dll | Network-based logon service. |
Ntdsa.dll | This library is used to create new records and folders in the Windows registry. |
SAM Database
The Security Account Manager (
SAM) is a database file in Windows operating systems that stores users' passwords. It can be used to authenticate local and remote users. SAM uses cryptographic measures to prevent unauthenticated users from accessing the system. User passwords are stored in a hash format in a registry structure as either anLMhash or anNTLMhash. This file is located in%SystemRoot%/system32/config/SAMand is mounted on HKLM/SAM. SYSTEM level permissions are required to view it.
Saved credentials are stored based on user profiles in each user's
Credential Locker. Credentials are encrypted and stored at the following location:
Last updated