dissect.target.plugins.os.windows.credential.lsa

Module Contents

Classes

LSAPlugin

Windows Local Security Authority (LSA) plugin.

Attributes

HAS_CRYPTO
LSASecretRecord

dissect.target.plugins.os.windows.credential.lsa.HAS_CRYPTO = True

dissect.target.plugins.os.windows.credential.lsa.LSASecretRecord

class dissect.target.plugins.os.windows.credential.lsa.LSAPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Windows Local Security Authority (LSA) plugin.

References

• https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication

• https://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html (Windows XP)

• https://github.com/fortra/impacket/blob/master/impacket/examples/secretsdump.py

• ReVaulting decryption and opportunities SANS Summit Prague 2015

__namespace__ = 'lsa'

Defines the plugin namespace.

SECURITY_POLICY_KEY = 'HKEY_LOCAL_MACHINE\\SECURITY\\Policy'

SYSTEM_KEY = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA'

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

property syskey: bytes

Return byte value of Windows system SYSKEY, also called BootKey.

property lsakey: bytes

Decrypt and return the LSA key of the Windows system.

secrets() → collections.abc.Iterator[LSASecretRecord]

Yield decrypted LSA secrets from a Windows target.