lsadump::secrets Win 2004

Papotito123 commented 4 years ago

Hello: When I run mimikatz in Win 10 2004 x64 the LSA secrets are not retrieved(also in other tools). This works good in Win 10 1809 x64.

.#####. mimikatz 2.2.0 (x64) #19041 Aug 16 2020 10:26:39 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )

\ / ## > http://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz # version

mimikatz 2.2.0 (arch x64) Windows NT 10.0 build 19041 (arch x64) msvc 150030729 207

mimikatz # privilege::debug Privilege '20' OK

mimikatz # token::elevate Token Id : 0 User name : SID name : NT AUTHORITY\SYSTEM

84 {0;000003e7} 1 D 67669 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary -> Impersonated !

Process Token : {0;00045e6d} 1 F 992660 DESKTOP-RA99DA6\TESTACCOUNT S-1-5-21-1615885338-2756042382-2413003415-1001 (14g,25p) Primary
Thread Token : {0;000003e7} 1 D 1143496 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)

mimikatz # lsadump::secrets Domain : DESKTOP-RA99DA6 SysKey : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Local name : DESKTOP-RA99DA6 ( S-1-5-21-1615885338-2756042382-2413003415 ) Domain name : WORKGROUP

Policy subsystem is : 1.18 LSA Key(s) : 1, default {2572ce28-669a-2040-a310-e6723d2ed016} [00] {2572ce28-669a-2040-a310-e6723d2ed016} b80b05526a636216668db5546d5a132be6333b1b19dcf99920ef0c152774bda2

Secret : DPAPI_SYSTEM cur/hex : 01 00 00 00 10 b2 f8 60 bf 72 e1 e4 20 2d 3d b9 0e 92 fc 8f 38 c4 9c 16 2e 24 b4 41 df 79 1f 40 1f ca 8a 88 b7 25 a1 27 ce f4 f1 38 full: 10b2f860bf72e1e4202d3db90e92fc8f38c49c162e24b441df791f401fca8a88b725a127cef4f138 m/u : 10b2f860bf72e1e4202d3db90e92fc8f38c49c16 / 2e24b441df791f401fca8a88b725a127cef4f138 old/hex : 01 00 00 00 46 dd df 87 be 6d 13 39 b6 fb 2d 97 81 04 ec fa d4 1a c6 fe e6 24 67 cb d6 94 6f 90 99 c5 5d 2c c5 3d 5b 3e fa 28 a1 c0 full: 46dddf87be6d1339b6fb2d978104ecfad41ac6fee62467cbd6946f9099c55d2cc53d5b3efa28a1c0 m/u : 46dddf87be6d1339b6fb2d978104ecfad41ac6fe / e62467cbd6946f9099c55d2cc53d5b3efa28a1c0

mimikatz #

Thanks.

Papotito123 commented 3 years ago

Hello: Win 10 20H1 x64 local user.

I ran regedit as TrustedInstaller and as SYSTEM user but in HKLM\SECURITY\Policy\Secrets you can only have DPAPI_SYSTEM with subkeys of:CupdTime,CurrVal,OldVal,OutputTime,SecDesc No others. Also there's no L$_SQSA_S-1-5-21-16xxxxxxxxxxxxxxxxx-100x found in registry.

Still only tool to see LSA Secrest for Win 20H1 is SecurityQuestionsView from nirsoft.

But when talking about a MicrosoftAccount user ,I have not found a tool that can read this user LSA secrets .

Thanks

Papotito123 commented 3 years ago

Hello: For the benefit of you and some other tools devs,for which I have some contact,I reinstalled Windows 10 2004H1.

Windows 10 2004H1 (OS Build 19041.685) fresh installation for local user account and Defender turned OFF.

LSA Secrets are not still retrieved.

Any info much appreciated.

gentilkiwi / mimikatz