Lab Objective:

• Use mimikatz to extract hashes on a domain client from both:
  • lsass.exe process
  • local SAM databases

In the last lab, we assumed that you had obtained access to a user on the Domain Controller who had access to the SeBackupPrivilege

For the first part of this lab, we’ll assume that we have control of a user with the SeDebugPrivilege that also has access to a Domain Client.

What is the SeDebugPrivilege?

• The SeDebugPrivilege is a powerful user right in Windows operating systems that allows users to debug and adjust the memory of processes owned by other users, including system processes. This privilege is typically granted to administrators and is essential for various advanced debugging tasks. However, it can also be exploited for malicious purposes if misused.

Here’s what happens when you start a process or service on Windows:

• Executables are compiled instructions that have been saved to disk.
  • When an executable is run, all of the instructions within that program are loaded into memory.
    • In other words, any process running on the system will be resident in the system memory.
    • If you start Notepad, a full copy of Notepad will be in RAM. Anything the user types is also resident in RAM.
• The important part:
  • Users do not need special privileges to debug the memory used by a process they have started.
    • Example: If the user student starts Notepad, then the user student can freely inspect and modify the memory being used by the Notepad process.
  • Users need the ‘debug programs’ privilege to inspect or modify areas of memory that belong to processes started by other users.
    • Example: If the user Jacob starts Notepad, the user student will not be able to inspect or modify the area of memory being used by the Notepad process started by Jacob.
      • The exception: If the user student has the SeDebugPrivilege, they can inspect or modify memory areas held by processes that other users started.

The SeDebugPrivilege is one of the most dangerous privileges you can assign to a user.

• A user with this SeDebugPrivilege can inspect areas of memory held by an operating system process that contains, for example, information like user passwords.
• Suppose there is an application running on the machine with private data. In that case, users with the SeDebugPrivilege can see all data within the program as if they had the program open themselves.

The LSASS.exe process and its essential presence on Windows.

The lsass.exe process, short for Local Security Authority Subsystem Service, is a crucial component of the Windows operating system responsible for enforcing security policies. Its primary functions include handling authentication processes, managing user logins, password changes, and creating access tokens. It verifies users logging into the computer or server, processes password changes, and writes to the Windows Security Log.

Key Points about lsass.exe:

• Authentication: lsass.exe plays a pivotal role in user authentication. It processes login requests, authenticates users, and generates security tokens that Windows uses to manage user permissions and access rights.
• Security Policies: The process enforces various security policies defined within the system, such as password policies, account lockout policies, and audit policies.
• Access Tokens: It creates and manages access tokens, which are used to determine the permissions granted to users and applications.

Access Control:

• System and Administrators: By default, lsass.exe is protected and can only be accessed by the system and processes with administrative privileges. This is because the lsass.exe process carries copies of user credentials in memory.