Windows Services passwords stored in the LSA
Table of contents :
Introduction
Storage and format
This secret is stored in the Local Security Authority (LSA) and is named in the format SCM:{<SID>}, with:
SCM- Local SecretSID- Security identifier
The format of this secret is a character string encoded in UTF-16-LE containing the password in plain text:
SCM:{B092549F-61DB-41B0-96FD-02EB41E19783}:50004000730073005700300072004400300066005300330072007600310063003300210021002100
Implementation in the tools
Secretsdump of the Impacket suite
In the file impacket/examples/secretsdump.py I added these few lines of python to automatically parse and format the services passwords in the output of the secretsdump tool:
elif re.match('^SCM:{([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})}', upperName) is not None:
# Decode stored service password
sid = re.search('^SCM:{([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})}', upperName).group(1)
try:
password = secretItem.decode('utf-16le').rstrip('\x00')
except:
pass
else:
secret = 'Password of service %s: %s' % (sid, password)
The output of the secretsdump tool now becomes:
[*] DPAPI_SYSTEM
dpapi_machinekey:0xefffd26631badcd42b613d4f2c8960fa049dc6ed
dpapi_userkey:0x46b2bacd697571dea0b14beb6d136119c301e5ab
[*] NL$KM
0000 2E 5F 46 93 4D 20 EB 46 5F 74 5F 61 83 A7 81 80 ................
0010 B9 98 AB 93 78 24 5D 3D 34 E2 1A 63 F6 4D DE CF ................
0020 3C 20 8A 3C 63 EB 33 D4 FC 3E FB 99 42 E3 9E 30 ................
0030 44 74 A8 C0 32 E7 48 43 3B 2D DC B0 6B CF 42 E5 ................
NL$KM:2e5f46934d20eb465f745f6183a78180b998ab9378245d3d34e21a63f64ddecf3c208a3c63eb33d4fc3efb9942e39e304474a8c032e748433b2ddcb06bcf42e5
[*] SCM:{B092549F-61DB-41B0-96FD-02EB41E19783}
SCM Password of service B092549F-61DB-41B0-96FD-02EB41E19783: P@ssW0rD0fS3rv1c3!!!
[*] Cleaning up...
[*] Stopping service RemoteRegistry
I created a pull request to add this feature directly in impacket.