G0ldenGunSec/SharpSecDump

SharpSecDump.exe Windows 10 20H1 localhost

Papotito123 opened this issue · 9 comments

Hello:
Win 10 20H1 x64 local user with Defender disabled (is detected by Defender).

I compiled sharpsecdump and ran it in my volume with Win 1909 x64 local user and ran well.
SharpSecDump.exe -target=localhost
It grabbed LSA Secrets questions and answers.

But in my Win 10 20H1 x64 local user volume, LSA Secrets questions and answers are not retrieved.
This is something happens with mimikatz and lazagne.
I verified registry keys and HKLM\SECURITY\Policy\Secrets only hasbe DPAPI_SYSTEM with 5 subentries.But nothing more.

Ii suspect is something due to Win 10 20H1 changes to DPAPI.

Any ideas/info much appreciated.

Thanks.

Hey, Win 10 20H1 (win 10 version 2004) was running on one of my dev VM's during testing, and I just went back and confirmed I'm still getting LSA secrets results back on it, I would try running against another system running the same OS version to see if its something funky with that specific system. If you are still running into problems, could you include both your Windows edition + build, as well as the raw output of what you're getting back?

Hello:
Here's the info;

Windows 10 2004(OS Build 19041.685) x64 local admin user account.

Windows Defender: I disable to run SharpSecDump.exe
Antimalware Client Version: 4.18.2011.6
Engine Version: 1.1.17700.4
Antivirus Version: 1.329.829.0
Antispyware Version: 1.329.829.0

I used pyinstaller to compile SharpSecDump.
D:>cd "D:\SharpSecDump-master"

D:\SharpSecDump-master>SharpSecDump.exe -target=localhost -u=TESTACOUNT -p=mypassword -d=.
[] RemoteRegistry service started on localhost
[
] Parsing SAM hive on localhost
[] Parsing SECURITY hive on localhost
[
] Sucessfully cleaned up on localhost
---------------Results from localhost---------------
[] SAM hashes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:829562b90ea3dfae057e7b5d020b0159
TESTACCOUNT:1001:aad3b435b51404eeaad3b435b51404ee:---good hash---
dinda:1002:aad3b435b51404eeaad3b435b51404ee:---good hash ---
[
] DPAPI_SYSTEM
dpapi_machinekey:10b....c16
dpapi_userkey:2e2.....138
---------------Script execution completed---------------

As I see , Win 10 2004 hide some keys even set to Unhide as .../Protect/S-I-D-XXXX/(mkeynames are hide)
Also in registry (even running as SYSTEM or TtrustedInstaller) in HKLM\SECURITY\Policy\Secrets only has DPAPI_SYSTEM with 5 subentries. But nothing more.

SecurityQuestionsView v1.00 ,from Nirsoft, can see my LSA Secrets.

Thanks.

Hello:
For the benefit of you and some other tools devs,for which I have some contact,I reinstalled Windows 10 2004H1.

Windows 10 2004H1 (OS Build 19041.685) fresh installation for local user account and Defender turned OFF.

C:\Users\TESTUSER\Desktop\TESTINGTOOLS>SharpSecDump.exe -target=localhost -u=TESTUSER -p=Testing123 -d=.
[] RemoteRegistry service started on localhost
[
] Parsing SAM hive on localhost
[] Parsing SECURITY hive on localhost
[
] Sucessfully cleaned up on localhost
---------------Results from localhost---------------
[] SAM hashes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:fa48b705e59df10a16089ffe5b3ad812
TESTUSER:1001:aad3b435b51404eeaad3b435b51404ee:4e3835474a5319a5c13f66a6c196a9ef
[
] LSA Secrets
[*] DPAPI_SYSTEM
dpapi_machinekey:0d........c75
dpapi_userkey:bae.......a90
---------------Script execution completed---------------

Apart from SecurityQuestionsView v1.00 (Nirsoft) ,Passcape Reset Password and PCUnlocker can see my LSA Secrets.

Thanks again.

Hey, taking a look at the output you included -- what all other secrets were you expecting to see that were not included? For a system that is not domain-joined and does not have any services that have been manually configured to run with cached creds, the output looks pretty standard. Only thing I'm not seeing is NL$KM at the bottom of your output.

Hello:
Thanks for responding.
Well,maybe I'm not explained more clearly what I'm expecting when I talked about LSA Secrets.

Until Windows 1909,which I also have it, when I run mimikatz,lazagne,NTHASH-fpc and others , for LSA Secrets recovers also the Q&A you have to filled when creating user account and is used for Resetting user password.This info ,before Windows 10 2004,where in registry in HKLM\SECURITY\Policy\Secrets keys.Now there's only DPAPI_SYSTEM key with subkeys of:CupdTime,CurrVal,OldVal,OutputTime,SecDesc, and there's no the usual L$_SQSA_S-1-5-21-16xxxxxxxxxxxxxxxxx-100x
users keys and not NL$KM.See by yourself.
Even running regedit as SYSTEM or TrustedInstaller these keys are hide.
Also in \Protect folder the CREDHIST file and in
S-1-5-21-16xxxxxxxxxxxxxxxxx-100x subfolder the masterkeys keys are hide from user.
This is a security measure starting from Windows 10 2004H1(documented)

SecurityQuestionsView v1.00 (Nirsoft) can view the LSA Secrets Q&A.So there's reachable.But not in the usual way.
Why is important to me?
Because instead of Reset/clear user password(blowing EFS ,Web Credentials,Vaults and some other) is better Resetting user password using the questions/response challenge.Also PIN and Picture Password is kept(and not erased).
Unbelievable, I had to use this reset way in last days.And works good.

I'm ,in no way , mention other programs that can retrieve this Q&A to make feel bad.
Contrary,I'm bringing this to the attention(as to lazagne dev,mimikatz dev,NTHAS-fpc dev) to point ,with my output results, that the usual way to retrieve some info ,as in this case, the LSA Secrets is not available but there's still reachable.

Some things related to DPAPI and the "hide for user seeing" changed in Windows 10 2004 as security measures.

Sorry for long posting.

And much thanks for keep this issue alive.

Interesting, yeah I guess I haven't seen those secrets ever pulled by this tool or secretsdump (the tool this was based on) in the past. If you're not seeing this data due to a change in the structure to where Windows is storing the specific data needed to retrieve this info, its more of just identifying the key/s that data is now stored in and parsing them as well (likely a modification to / additional foreach loop around line 348 in Program.cs). I don't have a great setup to test this on and am working on a few other projects currently, so probably wont implement this additional functionality myself, but if you want to add the additional functionality definitely submit a PR!

Hello:
Sorry.Im not a dev
I'm just an enthusiastic that worked 10 years in a computer repair shop where I self-learned most of the things

Thanks for being the first that really aknowledge this inconvenient for grab LSA Secrets Q&A.

With knowing these challenge questions and answers any can change user password without problems and login to the account.

Thanks.

No worries, as it looks like this is leaning more towards a feature addition vs. a bug in the already-existing code, I'll go ahead and close this issue out.