Skip to content

NUL0x4C/HookingLsassForCredentials

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
DumpHashes
DumpHashes
 
 
ImpersonateTrustedInstaler
ImpersonateTrustedInstaler
 
 
ImpersonateTrustedInstaler.sln
ImpersonateTrustedInstaler.sln
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

HookingLsassForCredentials


Quick Links

Maldev Academy Home

Maldev Academy Syllabus

Offensive Phishing Operations


Explanation

The goal of this PoC is to leverage the registry key discovered here to load a DLL into Lsass.exe that will allow us to fetch the user's credentials (in any form possible) while effectively bypassing Credential Guard. It is worth mentioning that when Credential Guard is enabled, Lsass.exe hands over credential protection and caching to LsaIso.exe, however, Lsass.exe remains the one responsible for verifying the login user credentials.


How It Works

  • The initial objective was to retrieve a populated USER_INTERNAL6_INFORMATION structure to access the USER_ALL_INFORMATION structure, allowing us to read critical elements like NtPassword and LmPassword during initial user authentication process. However, this structure is based on the WhichFields parameter of the targeted API.

  • To capture a USER_INTERNAL6_INFORMATION structure, we hooked samsrv!SamIGetUserLogonInformation2. However this function and its caller (named lsasrv!LsapSamExtGetUserLogonInformation2) override their WhichFields parameter and forcibly setting it to 0x1B. This value is explained here. Therefore, we thought of manually altering this value to be equal to USER_ALL_READ_TRUSTED_MASK2, hoping to read the aforementioned elements. Upon doing this, SamIGetUserLogonInformation2 returned STATUS_INVALID_INFO_CLASS as explained here.

  • As an alternative, we placed a hook at the start of the SamIGetUserLogonInformation2 function. In the detour function, we read UNICODE_STRING structures relative to the R8 register. These structures held valuable information like the plaintext password entered by the user at the lock screen, the username, and the workstation. However, this approach proved unstable (we were unable to fetch valuable data each time), rendering the PoC currently as a work-in-progress (WIP).

  • It is worth mentioning that the current PoC waits for the LogonUI.exe process to start to install the hook/s. LogonUI.exe is the process responsible for displaying the Windows login screen and securely capturing user credentials.


Demo

  1. Installing the Dummy DLL and editing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\Interfaces\1001 registry key's value to load our DLL that will execute our code and act as a proxy to the lsasrv.dll DLL.

PIC1



  1. Upon reboot, we captured the login plaintext password with Credential Guard being enabled. The image below is the truncated output of the cat C:\DummyDebug.log command. Which is the DEBUG_FILE.

PIC2


Reference:

About

Attempting to Hook LSASS APIs to Retrieve Plaintext Credentials

Resources

Readme

License

MIT license
Activity

Stars

49 stars

Watchers

2 watching

Forks

12 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages