LSA hashes extraction failed: 'HashRecords' on Windows 11
gabtoubl opened this issue · 1 comments
gabtoubl commented
Configuration
impacket version: v0.12.0.dev1+20240604.210053.9734a1af
Python version: 3.11.9
Target OS: Windows 11
Can't access the LSA Secrets on Windows 11. Normal access to registry key with same credentials works.
Debug Output With Command String
secretsdump -debug qu35t:'ADMINPWD'@10.13.37.123
Impacket v0.12.0.dev1+20240604.210053.9734a1af - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket
[+] Service RemoteRegistry is already running
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0x94e528ae2e011f45e7f9f79049868add
[+] Checking NoLMHash Policy
[+] LMHashes are NOT being stored
[+] Saving remote SAM database
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[+] Calculating HashedBootKey from SAM
[+] NewStyle hashes is: True
Administrator:500:a[***]c8:::
[+] NewStyle hashes is: True
Guest:501:aad3b435b51404eeaad3b435b51404ee:3[***]0:::
[+] NewStyle hashes is: True
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:3[***]0:::
[+] NewStyle hashes is: True
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:2[***]3:::
[+] Saving remote SECURITY database
[*] Dumping cached domain logon information (domain/username:hash)
[+] Decrypting LSA Key
[+] Decrypting NL$KM
[+] Looking into NL$1
[+] Looking into NL$2
[+] Looking into NL$3
[+] Looking into NL$4
[+] Looking into NL$5
[+] Looking into NL$6
[+] Looking into NL$7
[+] Looking into NL$8
[+] Looking into NL$9
[+] Looking into NL$10
[*] Dumping LSA Secrets
[+] Looking into $MACHINE.ACC
[*] $MACHINE.ACC
CELESTINA\WK-123$:aes256-cts-hmac-sha1-96:4[***]e63
CELESTINA\WK-123$:aes128-cts-hmac-sha1-96:01[***]000
CELESTINA\WK-123$:des-cbc-md5:c12[***]a
CELESTINA\WK-123$:plain_password_hex:440[***]100
CELESTINA\WK-123$:aad3[***]64f2:::
[+] Looking into DPAPI_SYSTEM
[*] DPAPI_SYSTEM
dpapi_machinekey:0x80[***]47f4f6d
dpapi_userkey:0xb95[***]2ccf8
[+] Looking into DSREGCMD
[+] Unknown type 0xb''
Traceback (most recent call last):
File "/root/.local/bin/secretsdump.py", line 297, in dump
self.__LSASecrets.dumpSecrets()
File "/root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/examples/secretsdump.py", line 1876, in dumpSecrets
value = self.getValue('\\Policy\\Secrets\\{}\\{}\\default'.format(key,valueType))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/examples/secretsdump.py", line 1328, in getValue
value = self.__registryHive.getValue(keyValue)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/winregistry.py", line 458, in getValue
key = self.findKey(regKey)
^^^^^^^^^^^^^^^^^^^^
File "/root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/winregistry.py", line 378, in findKey
res = self.__findSubKey(parentKey, subKey)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/winregistry.py", line 299, in __findSubKey
data = lf['HashRecords']
~~^^^^^^^^^^^^^^^
File "/root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/structure.py", line 171, in __getitem__
return self.fields[key]
~~~~~~~~~~~^^^^^
KeyError: 'HashRecords'
[-] LSA hashes extraction failed: 'HashRecords'
[*] Cleaning up... gabtoubl commented
It seems that this specific entry DSREGCMD doesn't have the CurrVal\default structure secretsdump is expecting :
reg query HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DSREGCMD
PS C:\Windows\system32> reg query HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DSREGCMD
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DSREGCMD
MutexName REG_SZ 9d0[***]7ce9f