Security News > 2024 > April > LSA Whisperer: Open-source tools for interacting with authentication packages

LSA Whisperer: Open-source tools for interacting with authentication packages
2024-04-26 04:30

LSA Whisperer consists of open-source tools designed to interact with authentication packages through their unique messaging protocols.

"Many authentication packages generally support their internal APIs, known as package calls, and relatively few are documented or used outside of Microsoft. I wanted to document as many of these calls as possible and implement a tool for interacting with them so we could identify which would provide value for red team assessments," Evan McBroom, Senior Software Engineer at SpecterOps, told Help Net Security.

"LSA Whisperer allows you to directly recover multiple types of credentials from the Local Security Authority Subsystem Service without accessing its memory. In the right context, LSA Whisperer can recover Kerberos tickets, SSO cookies, DPAPI credential keys, and NTLMv1 responses."

"The API the tool uses for recovering Kerberos tickets is well documented and used by other 'ticket dumping' tools. Still, we believe that LSA Whisperer's approach for recovering all the mentioned credentials is new and offers less opportunity for a defensive product to detect its activity," McBroom added.

LSA Whisperer uses CMake to generate and run the build system files for your platform.

You will need the latest Windows 11 SDK. LSA Whisperer is available for free on GitHub.


News URL

https://www.helpnetsecurity.com/2024/04/26/lsa-whisperer-open-source-tools-for-interacting-with-authentication-packages/