Monty's Pentesting Notes | Obsidian

    Windows Authentication

    General Overview:

    • Windows Authentication involves modules like WinLogon, LSASS, SAM, and Active Directory for logon, retrieval, and verification.
    • Local Security Authority (LSA): Handles local authentication, maintains security policies, manages SIDs, and provides object access checks.

    Authentication Components:

    • WinLogon:

      • Manages user interactions (logon, password changes, locking/unlocking).
      • Uses Credential Providers to collect user credentials.
      • Launches LogonUI for the graphical logon interface.
      • Calls LSASS for user authentication.

    • LSASS:

      • Core security service located at %SystemRoot%\System32\Lsass.exe.
      • Manages policies, user authentication, and audit logs.
      • Contains modules like Lsasrv.dll, Msv1_0.dll, Kerberos.dll, and others for different authentication types.

    Authentication Packages:

    • Lsasrv.dll: Enforces policies, manages security packages (e.g., Kerberos, NTLM).
    • Msv1_0.dll: Used for local machine logons.
    • Samsrv.dll: Manages local security accounts and policies.
    • Kerberos.dll: Handles Kerberos authentication.
    • Netlogon.dll: Network logon service.
    • Ntdsa.dll: Manages Active Directory entries.

    Security Account Manager (SAM):

    • SAM Database:

      • Stores local user credentials as LM or NTLM hashes.
      • Located in %SystemRoot%\system32\config/SAM (requires SYSTEM access).
      • Domain Environment: Credentials are validated against the Active Directory database (ntds.dit).

    • SYSKEY:

      • Encrypts SAM data for additional security.

    NTDS:

    • Active Directory's database file (ntds.dit) stores:
      • User and group accounts, password hashes, GPOs.
      • Synchronized across all Domain Controllers except Read-Only Domain Controllers.

    Credential Manager:

    • Stores user credentials for network resources and websites.
    • Encrypted credentials are stored in:
      C:\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]

    Key Takeaways:

    • Local Logons: SAM database is used for authentication.
    • Domain Logons: Credentials validated by Domain Controllers via Active Directory.
    • Credential Extraction: SAM and NTDS.dit files are common targets for credential attacks.