search

Credential Dumping

hashtag
cpassword

Groups.xml --- Less likely to run into this on a modern environment as they stopped doing this in 2012.

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeX
cpassword

hashtag
SAM Database Dump

Shadow Copy of the C:\ Drive
Moving sam and system off of the shadow volume
Downloading Sam and System onto Kali
Using creddump7 pwdump to decrypt the SAM Database to retrieve the Administrator NTLM Hash

hashtag
Windows Local Administrator Password Solution (LAPS)

hashtag
LSA Hash Dump (NTLM or Plaintext) Using Mimikatz

Local Security Authority Server Service (LSASS) can enable a Local Security Authority protection called Protected Process Light (PPL). When this is enabled not even a process running at system level integrity can dump logon passwords/hashes.

This attribute is set in the following registry and is enforced by a bit in the EPROCESS kernel object.

Fortunately for us mimikatz already has a built in bypass for this. This is done by using it's mimidrv.sys driver and already having local Administrator or System level permissions. High/System level is needed in order to use the SeLoadDriverPrivilege required to load signed drivers.

It's also possible to retrieve the hash without utilizing mimikatz on the victim computer by dumping the lsass processes using the task manager and opening the dump file on a local attacker controlled windows computer.

PreviousSMBNextAccess Tokens

Last updated