https://averagept.pages.dev/tags/reverse-engineering/ Recent content in Reverse Engineering on averagept Hugo -- 0.147.7 en-us Thu, 16 Apr 2026 10:09:53 +0100 https://averagept.pages.dev/posts/insidelsass/ Thu, 16 Apr 2026 10:09:53 +0100 https://averagept.pages.dev/posts/insidelsass/ <p>The main focus of this blog post will be explaining how Kerberos tickets are cached in LSASS, how they can be extracted and how they can be used to impersonate other users. Ticket extraction will be demonstrated both automatically using <strong>Mimikatz</strong> and manually by inspecting a memory dump of <em>lsass.exe</em>. A fix to Mimikatz source code will be applied to make it correctly parse tickets.</p> <h1 id="1-introducing-lsass">1. Introducing LSASS</h1> <p>The <em>Local Security Authority Subsystem Service</em> (LSASS.exe) is a Windows process responsible for handling <strong>local security policies</strong>, <strong>user authentication</strong>, and <strong>stores credentials in memory</strong>. Because of this, it becomes a valuable target for attackers that want to move laterally inside a network.</p>