SharpSecDump.exe Windows 10 20H1 localhost #2
Comments
|
Hey, Win 10 20H1 (win 10 version 2004) was running on one of my dev VM's during testing, and I just went back and confirmed I'm still getting LSA secrets results back on it, I would try running against another system running the same OS version to see if its something funky with that specific system. If you are still running into problems, could you include both your Windows edition + build, as well as the raw output of what you're getting back? |
|
So much thanks for replay.
Sure I will do.
The only tool(at this time) that grab LSA Secrets from my Win 10 2004H1 is a pre-release from Nirsoft.And only for local user accounts.Not for MicrosoftAccount users.
Not mimikatz nor lazagne.I throwed some post in their sites.But no answer.
That's why I get into your tool.
…________________________________
From: G0ldenGunSec <notifications@github.com>
Sent: Tuesday, December 22, 2020 1:13 AM
To: G0ldenGunSec/SharpSecDump <SharpSecDump@noreply.github.com>
Cc: Papotito123 <razztrafol10@hotmail.com>; Author <author@noreply.github.com>
Subject: Re: [G0ldenGunSec/SharpSecDump] SharpSecDump.exe Windows 10 20H1 localhost (#2)
Hey, Win 10 20H1 (win 10 version 2004) was running on one of my dev VM's during testing, and I just went back and confirmed I'm still getting LSA secrets results back on it, I would try running against another system running the same OS version to see if its something funky with that specific system. If you are still running into problems, could you include both your Windows edition + build, as well as the raw output of what you're getting back?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#2 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMUZWT3QJT2GT3XPZ6WT3JLSV7XDRANCNFSM4UZBXYBA>.
|
|
Hello: Windows 10 2004(OS Build 19041.685) x64 local admin user account. Windows Defender: I disable to run SharpSecDump.exe I used pyinstaller to compile SharpSecDump. D:\SharpSecDump-master>SharpSecDump.exe -target=localhost -u=TESTACOUNT -p=mypassword -d=. As I see , Win 10 2004 hide some keys even set to Unhide as .../Protect/S-I-D-XXXX/(mkeynames are hide) SecurityQuestionsView v1.00 ,from Nirsoft, can see my LSA Secrets. Thanks. |
|
Hello: Windows 10 2004H1 (OS Build 19041.685) fresh installation for local user account and Defender turned OFF. C:\Users\TESTUSER\Desktop\TESTINGTOOLS>SharpSecDump.exe -target=localhost -u=TESTUSER -p=Testing123 -d=. Apart from SecurityQuestionsView v1.00 (Nirsoft) ,Passcape Reset Password and PCUnlocker can see my LSA Secrets. Thanks again. |
|
Hey, taking a look at the output you included -- what all other secrets were you expecting to see that were not included? For a system that is not domain-joined and does not have any services that have been manually configured to run with cached creds, the output looks pretty standard. Only thing I'm not seeing is NL$KM at the bottom of your output. |
|
Hello: Until Windows 1909,which I also have it, when I run mimikatz,lazagne,NTHASH-fpc and others , for LSA Secrets recovers also the Q&A you have to filled when creating user account and is used for Resetting user password.This info ,before Windows 10 2004,where in registry in HKLM\SECURITY\Policy\Secrets keys.Now there's only DPAPI_SYSTEM key with subkeys of:CupdTime,CurrVal,OldVal,OutputTime,SecDesc, and there's no the usual L$_SQSA_S-1-5-21-16xxxxxxxxxxxxxxxxx-100x SecurityQuestionsView v1.00 (Nirsoft) can view the LSA Secrets Q&A.So there's reachable.But not in the usual way. I'm ,in no way , mention other programs that can retrieve this Q&A to make feel bad. Some things related to DPAPI and the "hide for user seeing" changed in Windows 10 2004 as security measures. Sorry for long posting. And much thanks for keep this issue alive. |
|
Interesting, yeah I guess I haven't seen those secrets ever pulled by this tool or secretsdump (the tool this was based on) in the past. If you're not seeing this data due to a change in the structure to where Windows is storing the specific data needed to retrieve this info, its more of just identifying the key/s that data is now stored in and parsing them as well (likely a modification to / additional foreach loop around line 348 in Program.cs). I don't have a great setup to test this on and am working on a few other projects currently, so probably wont implement this additional functionality myself, but if you want to add the additional functionality definitely submit a PR! |
|
Hello: Thanks for being the first that really aknowledge this inconvenient for grab LSA Secrets Q&A. With knowing these challenge questions and answers any can change user password without problems and login to the account. Thanks. |
|
No worries, as it looks like this is leaning more towards a feature addition vs. a bug in the already-existing code, I'll go ahead and close this issue out. |
Hello:
Win 10 20H1 x64 local user with Defender disabled (is detected by Defender).
I compiled sharpsecdump and ran it in my volume with Win 1909 x64 local user and ran well.
SharpSecDump.exe -target=localhost
It grabbed LSA Secrets questions and answers.
But in my Win 10 20H1 x64 local user volume, LSA Secrets questions and answers are not retrieved.
This is something happens with mimikatz and lazagne.
I verified registry keys and HKLM\SECURITY\Policy\Secrets only hasbe DPAPI_SYSTEM with 5 subentries.But nothing more.
Ii suspect is something due to Win 10 20H1 changes to DPAPI.
Any ideas/info much appreciated.
Thanks.
The text was updated successfully, but these errors were encountered: