Windows Services passwords stored in the LSA

2-minute read
lsa password recovery secrets secretsdump windows
Table of contents :

Introduction

The Service Control Manager (SCM) is a remote procedure call (RPC) server that manages Windows services. It allows administrators and applications to control (start, stop, modify, etc.) services running on a Windows machine. When a service is configured to run under a specific user account rather than the default LocalSystem account, the SCM needs to store the credentials securely to be able to start the service with the correct permissions. These credentials are stored in the Windows Local Security Authority (LSA) subsystem, which we’ll explore in more detail in the following sections.

Storage and format

This secret is stored in the Local Security Authority (LSA) and is named in the format SCM:{<SID>}, with:

  • SCM - Meaning Service Control Manager (SCM)
  • SID - The object’s security identifier

The format of this secret is a character string encoded in UTF-16-LE containing the password in plain text:

SCM:{B092549F-61DB-41B0-96FD-02EB41E19783}:50004000730073005700300072004400300066005300330072007600310063003300210021002100

Implementation in pentest tools

Secretsdump of the Impacket suite

In the file impacket/examples/secretsdump.py I added these few lines of python to automatically parse and format the services passwords in the output of the secretsdump tool:

elif re.match('^SCM:{([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})}', upperName) is not None:
    # Decode stored service password
    sid = re.search('^SCM:{([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})}', upperName).group(1)
    try:
        password = secretItem.decode('utf-16le').rstrip('\x00')
    except:
        pass
    else:
        secret = 'Password of service %s: %s' % (sid, password)

The output of the secretsdump tool now becomes:

[*] DPAPI_SYSTEM
dpapi_machinekey:0xefffd26631badcd42b613d4f2c8960fa049dc6ed
dpapi_userkey:0x46b2bacd697571dea0b14beb6d136119c301e5ab
[*] NL$KM
 0000   2E 5F 46 93 4D 20 EB 46  5F 74 5F 61 83 A7 81 80   ................
 0010   B9 98 AB 93 78 24 5D 3D  34 E2 1A 63 F6 4D DE CF   ................
 0020   3C 20 8A 3C 63 EB 33 D4  FC 3E FB 99 42 E3 9E 30   ................
 0030   44 74 A8 C0 32 E7 48 43  3B 2D DC B0 6B CF 42 E5   ................
NL$KM:2e5f46934d20eb465f745f6183a78180b998ab9378245d3d34e21a63f64ddecf3c208a3c63eb33d4fc3efb9942e39e304474a8c032e748433b2ddcb06bcf42e5
[*] SCM:{B092549F-61DB-41B0-96FD-02EB41E19783}
SCM Password of service B092549F-61DB-41B0-96FD-02EB41E19783: P@ssW0rD0fS3rv1c3!!!
[*] Cleaning up...
[*] Stopping service RemoteRegistry

I created a pull request to add this feature directly in impacket.

Placeholder Image
GitHub Repository
0 Stars
DATE - by AUTHOR
Description placeholder
Placeholder Placeholder Placeholder

References