LSA hashes extraction failed: 'HashRecords' on Windows 11

[gabtoubl]

Configuration

impacket version: v0.12.0.dev1+20240604.210053.9734a1af Python version: 3.11.9 Target OS: Windows 11

Can't access the LSA Secrets on Windows 11. Normal access to registry key with same credentials works.

Debug Output With Command String

secretsdump -debug qu35t:'ADMINPWD'@10.13.37.123
Impacket v0.12.0.dev1+20240604.210053.9734a1af - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket
[+] Service RemoteRegistry is already running
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0x94e528ae2e011f45e7f9f79049868add
[+] Checking NoLMHash Policy
[+] LMHashes are NOT being stored
[+] Saving remote SAM database
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[+] Calculating HashedBootKey from SAM
[+] NewStyle hashes is: True
Administrator:500:a[***]c8:::
[+] NewStyle hashes is: True
Guest:501:aad3b435b51404eeaad3b435b51404ee:3[***]0:::
[+] NewStyle hashes is: True
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:3[***]0:::
[+] NewStyle hashes is: True
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:2[***]3:::
[+] Saving remote SECURITY database
[*] Dumping cached domain logon information (domain/username:hash)
[+] Decrypting LSA Key
[+] Decrypting NL$KM
[+] Looking into NL$1
[+] Looking into NL$2
[+] Looking into NL$3
[+] Looking into NL$4
[+] Looking into NL$5
[+] Looking into NL$6
[+] Looking into NL$7
[+] Looking into NL$8
[+] Looking into NL$9
[+] Looking into NL$10
[*] Dumping LSA Secrets
[+] Looking into $MACHINE.ACC
[*] $MACHINE.ACC 
CELESTINA\WK-123$:aes256-cts-hmac-sha1-96:4[***]e63
CELESTINA\WK-123$:aes128-cts-hmac-sha1-96:01[***]000
CELESTINA\WK-123$:des-cbc-md5:c12[***]a
CELESTINA\WK-123$:plain_password_hex:440[***]100
CELESTINA\WK-123$:aad3[***]64f2:::
[+] Looking into DPAPI_SYSTEM
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x80[***]47f4f6d
dpapi_userkey:0xb95[***]2ccf8
[+] Looking into DSREGCMD
[+] Unknown type 0xb''
Traceback (most recent call last):
  File "/root/.local/bin/secretsdump.py", line 297, in dump
    self.__LSASecrets.dumpSecrets()
  File "/root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/examples/secretsdump.py", line 1876, in dumpSecrets
    value = self.getValue('\\Policy\\Secrets\\{}\\{}\\default'.format(key,valueType))
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/examples/secretsdump.py", line 1328, in getValue
    value = self.__registryHive.getValue(keyValue)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/winregistry.py", line 458, in getValue
    key = self.findKey(regKey)
          ^^^^^^^^^^^^^^^^^^^^
  File "/root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/winregistry.py", line 378, in findKey
    res = self.__findSubKey(parentKey, subKey)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/winregistry.py", line 299, in __findSubKey
    data = lf['HashRecords']
           ~~^^^^^^^^^^^^^^^
  File "/root/.local/share/pipx/venvs/impacket/lib/python3.11/site-packages/impacket/structure.py", line 171, in __getitem__
    return self.fields[key]
           ~~~~~~~~~~~^^^^^
KeyError: 'HashRecords'
[-] LSA hashes extraction failed: 'HashRecords'
[*] Cleaning up... 

[gabtoubl]

It seems that this specific entry DSREGCMD doesn't have the CurrVal\default structure secretsdump is expecting :

reg query HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DSREGCMD
PS C:\Windows\system32> reg query HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DSREGCMD

HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DSREGCMD
    MutexName    REG_SZ    9d0[***]7ce9f