Windows Services passwords stored in the LSA

Table des matières :

Introduction

The Service Control Manager is a remote procedure call (RPC) server allowing to control services deployed on a Windows machine.

Storage and format

This secret is stored in the Local Security Authority (LSA) and is named in the format SCM:{<SID>}, with:

  • SCM - Meaning Service Control Manager (SCM)
  • SID - The object’s security identifier

The format of this secret is a character string encoded in UTF-16-LE containing the password in plain text:

SCM:{B092549F-61DB-41B0-96FD-02EB41E19783}:50004000730073005700300072004400300066005300330072007600310063003300210021002100

Implementation in pentest tools

Secretsdump of the Impacket suite

In the file impacket/examples/secretsdump.py I added these few lines of python to automatically parse and format the services passwords in the output of the secretsdump tool:

elif re.match('^SCM:{([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})}', upperName) is not None:
    # Decode stored service password
    sid = re.search('^SCM:{([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})}', upperName).group(1)
    try:
        password = secretItem.decode('utf-16le').rstrip('\x00')
    except:
        pass
    else:
        secret = 'Password of service %s: %s' % (sid, password)

The output of the secretsdump tool now becomes:

[*] DPAPI_SYSTEM
dpapi_machinekey:0xefffd26631badcd42b613d4f2c8960fa049dc6ed
dpapi_userkey:0x46b2bacd697571dea0b14beb6d136119c301e5ab
[*] NL$KM
 0000   2E 5F 46 93 4D 20 EB 46  5F 74 5F 61 83 A7 81 80   ................
 0010   B9 98 AB 93 78 24 5D 3D  34 E2 1A 63 F6 4D DE CF   ................
 0020   3C 20 8A 3C 63 EB 33 D4  FC 3E FB 99 42 E3 9E 30   ................
 0030   44 74 A8 C0 32 E7 48 43  3B 2D DC B0 6B CF 42 E5   ................
NL$KM:2e5f46934d20eb465f745f6183a78180b998ab9378245d3d34e21a63f64ddecf3c208a3c63eb33d4fc3efb9942e39e304474a8c032e748433b2ddcb06bcf42e5
[*] SCM:{B092549F-61DB-41B0-96FD-02EB41E19783}
SCM Password of service B092549F-61DB-41B0-96FD-02EB41E19783: P@ssW0rD0fS3rv1c3!!!
[*] Cleaning up...
[*] Stopping service RemoteRegistry

I created a pull request to add this feature directly in impacket.

References