In the past, the encrypted password was stored together with the username in the /etc/passwd file, but this was increasingly recognized as a security problem because the file can be viewed by all users on the system and must be readable. The /etc/shadow file can only be read by the user root.

passwd file

htb-student:

x:

1000:

,,,:

/home/htb-student:

/bin/bash

<username>:

<password>:

<uid>:

<gid>:

<comment>:

<home directory>:

<cmd executed after logging in>

Windows

Winlogon

Winlogon is a trusted process responsible for managing security-related user interactions. These include:

Launching LogonUI to enter passwords at login
Changing passwords
Locking and unlocking the workstation

lsass

Local Security Authority Subsystem Service (LSASS) is a collection of many modules and has access to all authentication processes that can be found in %SystemRoot%\System32\Lsass.exe. This service is responsible for the local system security policy, user authentication, and sending security audit logs to the Event log. In other words, it is the vault for Windows-based operating systems, and we can find a more detailed illustration of the LSASS architecture here.

Lsasrv.dll

The LSA Server service both enforces security policies and acts as the security package manager for the LSA. The LSA contains the Negotiate function, which selects either the NTLM or Kerberos protocol after determining which protocol is to be successful.

Msv1_0.dll

Authentication package for local machine logons that don't require custom authentication.

Samsrv.dll

The Security Accounts Manager (SAM) stores local security accounts, enforces locally stored policies, and supports APIs.

Kerberos.dll

Security package loaded by the LSA for Kerberos-based authentication on a machine.

Netlogon.dll

Network-based logon service.

Ntdsa.dll

This library is used to create new records and folders in the Windows registry.

Source: Microsoft Docs.

SAM Database

The Security Account Manager (SAM) is a database file in Windows operating systems that stores users' passwords.

User passwords are stored in a hash format in a registry structure as either an LM hash or an NTLM hash. This file is located in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM. SYSTEM level permissions are required to view it.

Microsoft introduced a security feature in Windows NT 4.0 to help improve the security of the SAM database against offline software cracking. This is the SYSKEY (syskey.exe) feature, which, when enabled, partially encrypts the hard disk copy of the SAM file so that the password hash values for all local accounts stored in the SAM are encrypted with a key.

Credential Manager

Credential Manager is a feature built-in to all Windows operating systems that allows users to save the credentials they use to access various network resources and websites

Credentials are encrypted and stored at the following location: C:\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\

NTDS

In these cases, the Windows systems will send all logon requests to Domain Controllers that belong to the same Active Directory forest. Each Domain Controller hosts a file called NTDS.dit that is kept synchronized across all Domain Controllers with the exception of Read-Only Domain Controllers.

NTDS.dit is a database file that stores the data in Active Directory, including but not limited to:

User accounts (username & password hash)
Group accounts
Computer accounts
Group policy objects

PreviousReverse Shells + Bind + Web NextJohn the ripper

Last updated 21 days ago