Summary: This article discusses LSA Whisperer, an open-source tool designed to interact with authentication packages and recover credentials from the Local Security Authority Subsystem Service (LSASS) without accessing its memory.
Threat Actor: N/A
Victim: N/A
Key Point :
- LSA Whisperer is a tool developed by SpecterOps that allows users to recover various types of credentials from LSASS.
- The tool supports multiple authentication packages, including cloudap, kerberos, msv1_0, negotiate, pku2u, schannel, and cloudap’s AzureAD plugin.
- Partial or unstable support is provided for livessp, negoexts, and the security package manager.
- LSA Whisperer was developed to document and implement package calls for red team assessments.
LSA Whisperer consists of open-source tools designed to interact with authentication packages through their unique messaging protocols. Support is currently provided for the cloudap, kerberos, msv1_0, negotiate, pku2u, schannel packages and cloudap’s AzureAD plugin. Partial or unstable support is provided for livessp, negoexts, and the security package manager.
What LSA Whisperer does
“Many authentication packages generally support their internal APIs, known as package calls, and relatively few are documented or used outside of Microsoft. I wanted to document as many of these calls as possible and implement a tool for interacting with them so we could identify which would provide value for red team assessments,” Evan McBroom, Senior Software Engineer at SpecterOps, told Help Net Security.
“LSA Whisperer allows you to directly recover multiple types of credentials from the Local Security Authority Subsystem Service (LSASS) without accessing its memory. In the right context, LSA Whisperer can recover Kerberos tickets, SSO cookies, DPAPI credential keys (which are used to decrypt DPAPI-protected user data), and NTLMv1 responses (which are easily cracked to a usable NT hash for an account).”
“The API the tool uses for recovering Kerberos tickets is well documented and used by other ‘ticket dumping’ tools. Still, we believe that LSA Whisperer’s approach for recovering all the mentioned credentials is new and offers less opportunity for a defensive product to detect its activity,” McBroom added.
Future plans and download
“I plan to continue maintaining the project and provide updates to the tool and the project’s wiki. There are several package calls that I believe may provide value, but I have yet to implement them into the tool, which I would like to do,” McBroom concluded.
LSA Whisperer uses CMake to generate and run the build system files for your platform. The project does not rely on any library manager, allowing it to be easily built offline if desired. You will need the latest Windows 11 SDK.
LSA Whisperer is available for free on GitHub.
Must read:
“An interesting youtube video that may be related to the article above”