Home - EvanMcBroom/lsa-whisperer GitHub Wiki

The Local Security Authority

The Local Security Authority (LSA) provides several security related services for the Windows operating system. LSA runs within the LSA Subsystem Service (LSASS) Windows service executable but is largely implemented in the LSA server DLL (e.g. lsasrv.dll) and other DLLs that the LSA server DLL imports.

The remainder of this page will provide a background of the LSA components that the project interacts with. If you prefer, you may skip to the tool’s usage page or one of the many child pages for a reference guide on using it.

As a whole, this wiki is a culmination of studying LSA, its modules, and other associated resources (ex. patents) without access to internal Microsoft documentation. As such, errors in documentating Microsoft’s technologies are inevitable. Please regard any errors as unintentional and consider submitting a pull request for their correction.

The components of LSA may be categorized in different ways but are presented here using the RPC interfaces exposed by the LSASS process on a workstation host as of NT 10 19045. Of these interfaces, the LSA Whisperer focuses on interacting with the SSPI.

Table 1. LSA RPC Interfaces
Description UUID (Version) File

DPAPI ICryptProtect

11220835-5b26-4d94-ae86-c3e475a809de (1.0)

dpapisrv.dll

DPAPI PasswordRecovery

5cbe92cb-f4be-45c9-9fc9-33e73e557b20 (1.0)

dpapisrv.dll

DPAPI SidKey

7f1317a8-4dea-4fa2-a551-df5516ff8879 (1.0)

dpapisrv.dll

Exchange ActiveSync

d25576e4-00d2-43f7-98f9-b4c0724158f9 (0.0)

lsasrv.dll

Idp Ex

c0d930f0-b787-4124-99bc-21f0ecb642ce (0.0)

lsasrv.dll

Isolated User Mode MK

41baa680-50ce-4967-a8fa-0596343a7ccf (0.0)

lsasrv.dll

Key Isolation

b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 (1.0)

keyiso.dll

MS-CAPR

afc07e2e-311c-4435-808c-c483ffeec7c9 (1.0)

lsasrv.dll

MS-DSSP (Dsrole)

3919286a-b10c-11d0-9ba8-00c04fd92ef5 (0.0)

lsasrv.dll

MS-EFSR

c681d488-d850-11d0-8c52-00c04fd90f7e (1.0)

efslsaext.dll

MS-LSAD (Audit)

12345778-1234-abcd-ef00-0123456789ab (0.0)

lsasrv.dll

MS-SAMR

12345778-1234-abcd-ef00-0123456789ac (1.0)

samsrv.dll

Ngc Pop Key Service

51a227ae-825b-41f2-b4a9-1ac9557a1018 (1.0)

keyiso.dll

Ngc Pop Key Service

8fb74744-b2ff-4c00-be0d-9ef9a191fe1b (1.0)

keyiso.dll

Policy Lookup

fb8a0729-2d04-4658-be93-27b4ad553fac (1.0)

lsass.exe

Private Data

ace1c026-8b3f-4711-8918-f345d17f5bff (1.0)

lsasrv.dll

Sspi

4f32adc8-6052-4a04-8701-293ccf2096f0 (1.0)

SspiSrv.dll

Vault

bb8b98e8-84dd-45e7-9f34-c3fb6155eeed (1.0)

vaultsvc.dll

Security Support Provider Interface

The main goal of the LSA Whisperer project is to interact with security support provider (SSP) DLLs. Developers may use a set of Win32 functions (ex. LsaCallAuthenticationPackage) to interact with SSPs. Originally, these functions communicated with LSASS over LPC in NT 5.2 and earlier. They now work as an abstraction around the SSPI RPC interface which was introduced in NT 6.1. The SSPI RPC interface is available on ALRPC endpoint lsasspirpc and may be used directly instead of using the documented Win32 APIs.

When LSA Whisperer starts it will check if the host is running NT 6.1 or newer. If so, the tool will use the SSPI RPC interface when communicating with the LSA. Otherwise, the tool will use the equivalent Win32 interfaces. The RPC operations supported by the SSPI interface are listed below. Of these, LSA Whisperer mainly uses SspirCallRpc.

Table 2. SSPI Operations
Opnum Operation Notes

0x0

SspirConnectRpc

LsaConnectUntrusted

0x1

SspirDisconnectRpc

LsaDeregisterLogonProcess

0x2

SspirDisconnectRpc

Calls the same server function as procnum 0x1

0x3

SspirCallRpc

LsaCallAuthenticationPackage and LsaLookupAuthenticationPackage. Handled by lsasrv.dll!DispatchAPI

0x4

SspirAcquireCredentialsHandle

LsaAcquireCredentialsHandle

0x5

SspirFreeCredentialsHandle

LsaFreeCredentialsHandle

0x6

SspirProcessSecurityContext

LsaInitializeSecurityContext and LsaAcceptSecurityContext

0x7

SspirDeleteSecurityContext

LsaDeleteSecurityContext

0x8

SspirSslQueryCredentialsAttributes

QueryCredentialsAttributes (Schannel)

0x9

SspirNegQueryContextAttributes

QueryContextAttributes (Negotiate)

0xA

SspirSslSetCredentialsAttributes

SetCredentialsAttributes (Schannel)

0xB

SspirApplyControlToken

LsaApplyControlToken

0xC

SspirLogonUser

LsaLogonUser

0xD

SspirLookupAccountSid

Verifies that the provided SID is valid

0xE

SspirGetUserName

GetUserNameExW

0xF

SspirGetInprocDispatchTable

Returns &SspiInprocFunctions if local

Security Support Providers

SSPs are DLLs that either implement a security protocol (security packages - SPs) and/or authentication logic (authentication package - APs). The LSA Whisperer project largely focuses on the authentication logic contained in an SSP. As such, the project will refer to SSPs that support both a security protocol and authentication logic as an authentication package (AP).

The below table provides a summary of the SSPs that have been released by Microsoft over the years. LSA Whisperer supports interacting with a subset of the below SSPs that are marked as APs. Please refer to the individual wiki page for each SSP to see which commands the project supports for each AP.

Table 3. Microsoft SSPs
Dll Common Name SP AP RPC ID RPC Authn

cloudap

Cloud AP

OAuth 2.0

✔️

36

CLOUD_AP

credssp

Credential Delegation SSP

TLS+SPNEGO

kerberos

Kerberos

Kerberos

✔️

16

GSS_KERBEROS

livessp

Live SSP

?

✔️

32

LIVE_SSP

msapsspc

DPA Client

RPA

17

DPA

msnsspc

MSN Client

NTLM

18

MSN

msv1_0

Microsoft Authentication Package v1.0

NTLM

✔️

10

WINNT

negoexts

Negotiate Extender

NEGOEX

✔️

30

NEGO_EXTENDER

lsasrv

Negotiate

SPNEGO

✔️

9

GSS_NEGOTIATE

pku2u

Public Key User to User

PKU2U

✔️

31

NEGO_PKU2U

schannel

Secure Channel

SSL/TLS

✔️

14

GSS_SCHANNEL

sfapm

Secret Filter AP

?

✔️

-1

DEFAULT

tspkg

Terminal Services Package

✔️

22

?

wdigest

Windows Digest

Digest Access

✔️

21

DIGEST

Livessp, msapsspc, and msnsspc are legacy SSPs that have been removed from Windows. The components for the distributed computing environment (DCE), kernel, and message queue (MQ) RPC authn options could not be identified for auditing. Lastly, the DEFAULT RPC authentication method, RPC ID -1, is intended to be used as an alias for an NTLM SP (e.g., msv1_0); though, the sfapm AP also reports its RPC ID as -1.

A table of common 3rd party SSPs is provided below. LSA Whisperer does not provide support for these SSPs.

Table 4. 3rd Party SSPs
Dll Name SP AP RPC ID

vmwsu_v1_0

VMware SU Authentication Provider

✔️

0xffff
✏️
 The only meaningful functions that vmwsu_v1_0 implements is SpGetInfo and LogonUser.

Package Calls

An authentication package (AP) is any SSP that implements the LSA_AP_ prefixed function types in its SECPKG_FUNCTION_TABLE function table during the package’s initialization by LSA. Of these, LSA whisperer focuses on the set of "call package" functions which allows 3rd party code to interact with an AP’s custom functionality. These functions are named CallPackage, CallPackageUntrusted, and CallPackagePassthrough.

A client will normally use these functions when calling LsaCallAuthenticationPackage. That Win32 API will be facilitated by an AP’s CallPackage or CallPackageUntrusted function depending on if the client has the TCB privilege or not, respectively. LSA whisperer itself is a client application and almost every command the tool implements will interact with one of these two functions.

A client will be required to specify a package ID when making this call. LSA Whisperer will obtain these IDs automatically for the user using LsaLookupAuthenticationPackage. Clients may alternatively use a special package ID, SECPKG_ALL_PACKAGES or -2, which LSA will handle by issuing the call to all loaded APs. There is a small set of calls that are intended for this feature which each AP may choose to process or ignore. These intended calls and the APs that support them are provided below. These commands may be issued with LSA Whisperer using the all command (ex. all PinDC).

Table 5. All Package Messages
Id Message Packages

0x400

PinDc

  • kerberos

0x401

UnpinAllDcs

  • kerberos

0x402

TransferCred

  • cloudap

  • kerberos

  • livessp

  • msv1_0

  • negotiate

The CallPackagePassthrough function is only used when a request is encapsulated in a GenericPassthrough message and sent as a package call to msv1_0. For a domain joined host, msv1_0 will send the encapsulated request via NetLogon to the LSA on the DC for processing. For a workgroup host, msv1_0 will issue the encapsulated request itself within LSA. Once an LSA receives the request it will be processed by the requested AP’s CallPackagePassthrough function.

✏️
 A domain joined host may be tricked into believing it is a workgroup host to have it process passthrough requests locally.

An AP may not support passthrough requests and the ones that do will typically limit clients to a small set of request types. The current list of allowable passthrough requests is provided below. LSA Whisperer does not currently support issuing passthrough requests.

Table 6. Passthrough Requests
Dll Ids Message Types

cloudap

Unsupported

kerberos

0x03

VerifyPac

livessp

Unsupported

msv1_0

0x09

SubAuth

negoexts

Unsupported

negotiate

None

pku2u

Unsupported

schannel

0x02

LookupCert

tspkg

Unsupported

wdigest

0x1a

VerifyDigest

SSPI Security

Windows does not specify a security callback function when registering the SSPI RPC interface. It does however register the interface with the flag RPC_IF_ALLOW_LOCAL_ONLY. That prevents LSA Whisperer from interacting with a remote host using this interface.

The only additional check the RPC server performs is to verify that a client is local if it requests the SspirGetInprocDispatchTable operation. This check is redundant and does not affect LSA Whisperer. For other operations, no client verification is done by the server and the SSPI server passes execution in almost all cases to an equivalently named function in the LsapSspiExtensionFunctions table inside lsasrv (the internal function will be prefixed with the name SspiEx). The lsasrv will then pass execution to the original LPC handlers (ex. LpcHandler). Please refer to the SPM page if you would like more information about these LPC handlers.

It is also worth noting that the RPC runtime has a hardcoded list of interfaces that are exempt from multiple security mitigations that have existed since NT 5.2. The list is named RpcVerifierExemptInterfaces and may be found by viewing its use in the rpcrt4.dll!IsInterfaceExempt function. The list includes multiple RPC servers that have been previously abused such as MS-DFSNM, MS-EFSR, MS-SRVS, and MS-WKST.

Interestingly, Microsoft has only added 2 interfaces to this list since NT 5.2. One is the Remote Management interface and one is SSPI. Microsoft has also added 1 additional mitigation bypass which has only been applied to SSPI (flag 0x8). Each mitigation bypass that Microsoft may specify is provided below. All of these bypasses have been applied to the SSPI interface. Microsoft’s need for doing this has still not been determined.

// Allow the interface to be remotely acessible without specifying a security
// callback and or the RPC_IF_ALLOW_SECURE_ONLY flag during its registration
#define ALLOW_UNSECURE_REMOTE_ACCESS 0x00000001

// The interface may be called remotely without
// RPC_C_AUTHN_LEVEL_PKT_PRIVACY
#define ALLOW_UNENCRYPTED_REMOTE_ACCESS 0x00000002

// The interface may be called remotely without mutual
// authentication
#define ALLOW_NO_MUTUAL_AUTH_REMOTE_ACCESS 0x00000004

// Do not flag the use of a security callback when running
// with the RPC verifier. Usage determined by binary auditing
#define RPC_VERIFIER_UNSAFE_FEATURE 0x00000008
⚠️ **GitHub.com Fallback** ⚠️