Dumping Credentials
Last updated
Last updated
Dumping Windows credentials is a common technique used to assess the security posture of a network. It involves extracting sensitive information like usernames and passwords, which can be a goldmine for attackers if addressed.
This section explores some of the key methods employed during penetration testing to dump Windows credentials.
Once you are the administrator on a Windows system, you can retrieve NTLM hashes of the system accounts with Mimikatz.
Most of the following commands will require to add "privilege::debug" "token::elevate"
to become NT-AUTHORITY\SYSTEM from Administrator, unless you already are NT-AUTHORITY\SYSTEM.
The use of mimikatz is as follows:
ℹ️ SYSTEM (or local administrator) permissions
Local Windows credentials are stored in the Security Account Manager (SAM) database1 as password hashes using the NTLM hashing format.
There are several alternatives to obtain the SAM database using a cmd.exe prompt with high privileges
In case you can't obtain SAM credentials, it might be because the SAM and SYSTEM are mounted, but there are several workarounds to obtain them.
Create a shadow copy.
List the shadow copies to check that has been performed successfully.
Copy the files to your folder
The SAM and SYSTEM files can be obtained from the Windows Registry.
Once you have obtained the SAM and SYSTEM files, you can use creddump7 or Mimikatz to obtains the machine's credentials.
Mimikatz
LAPS addresses the security challenge of managing local administrator account passwords by automatically and regularly rotating them. This helps to minimize the risk associated with using static or shared passwords across multiple systems.
LAPS introduces two new attributes for the computer object into Active Directory. The first is ms-mcs-AdmPwdExpirationTime, which registers the expiration time of a password as directed through a group policy. The second is ms-mcs-AdmPwd, which contains the clear text password of the local administrator account.
There are several ways to detect if LAPS is enabled on the domain or the current machine you have to:
Local: Check if the following files exists.
Domain:
There are several alternatives to obtain the LAPS password.
LAPS addresses the security challenge of managing local administrator account passwords by automatically and regularly rotating them. This helps to minimize the risk associated with using static or shared passwords across multiple systems.
Extracting credentials from the memory of processes that handle user logon sessions.
Check if it is PPL protection is enabled:
To disable PPL protection protection we need to parch the kernel adding a new driver with the file mimidrv.sys
and then disable PPL protection.
However, there are three approaches:
Upload mimidrv.sys
and mimikatz.exe
on the same folder, so Mimikatz can find the file and create the service.
Sadly Invoke-Mimikatz doesn't look for the file mimidrv.sys
so we need to execute the service by ourselfs. To do so, we need to upload mimidrv.sys
to folder that the system can access and then:
This command does:
Become "NT AUTHORITY / SYSTEM" to load the driver
Loads minidrv.sys
Disable the PPL protection for LSASS
Dump cached credentials
Dump secrets from the registry
PPLKiller
This is a different alternative so you do not have to use mimikatz to load the kernel driver.
Open PPLKiller.sln with Visual Studio 2019 and build a Release binary which will be saved in PPLKiller\x64\Release\PPLKiller.exe
Install the driver PPLKiller.exe /installDriver
first to install the driver
Disable the protection PPLKiller.exe /disableLSAProtection
Obtain the information.
Because the memory of LSASS process might contain plaintext credentials NTLM hashes or Kerberos tickets. Thus, it is useful to dump its memory for an offline processing. This can be achieved in two different ways:
GUI Alternative:
Open Task Manager and go to "Details" tab
Look for "lsass.exe" process
Right click "Create Dump File"
CLI:
As Authority system, execute the following command:
Finally, extract logon passwords:
The Data Protection API (DPAPI) is a feature in Windows operating systems that provides a way to encrypt and decrypt sensitive data by using the user or machine credentials as a key. It is designed to help developers protect user data by providing a simple yet effective way to encrypt and decrypt data.
DPAPI is commonly used by applications to protect user data, such as web browsers to store user passwords, email clients to store user credentials, and other applications that store sensitive information.
The way the Windows Credential Manager works is a bit confusing at first - if you read up on the subject, you'll find both the terms "Vaults" and "Credentials". A "vault" essentially holds records of encrypted credentials and a reference to the encrypted blobs. Windows has two vaults: Web Credentials (for storing browser credentials) and Windows Credentials (for storing credentials saved by mstsc, etc). A "credential" is the actual encrypted credential blob.
The credentials are usually stored at C:\Users\<USER>\AppData\Local\Microsoft\Credentials
.
There are several ways to list the vaults.
VaultCMD
Seatbelt
Inside some scheduled tasks might be user credentials stored at C:\Window\system32\config\systemprofile\AppData\Local\Microsoft\Credentials
.
These credentials can be decrypt with the following commands:
1. Obtining the GUID master key
2. Dump the creds
3. Decrypt the credentials
When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to the pentester.
Originally, the LSA secrets contained cached domain records. Later, Windows developers expanded the application area for storage. At this moment, they can store PC users' text passwords, service account passwords (for example, those that must be run by a certain user to perform certain tasks), Internet Explorer passwords, RAS connection passwords, SQL and CISCO passwords, SYSTEM account passwords, private user data like EFS encryption keys, and a lot more. For example, the NL$KM secret contains the cached domain password encryption key.
It might be the case that you have compromised a computer that contains VPN profiles with a Pre-Shared Key and stored user credentials.
The general information of the VPN like the domain or IP address, will be found in:
In order to dump the information, you need to dump the lsadump::secrets
looking for the secret "L$_RasConnectionCredentials".
After decoding the values from HEX, the Pre-Shared keys will appear as follows, with three "NULL" bytes at the beginning and end of the password.
Then, if the user has stored the credentials, they will appear under the secret "RasDialParams!S-1-5-21-...".
Performs a DSync process, obtaining the Kerberos krbtgt
keys, domain secrets, etc.
You must be NT AUTHORITY/ SYSTEM
You must be local admin on the machine where the key is cached. Learn more about mimikatz DPAPI here.
There is a known issue where Mimikatz may incorrectly label all of the hashes as des_cbc_md4
.
The user backup could retrieve important information about the domain.
You need to use the latests versions of Mimikatz or will only appear as cur/text: <ID>
This attack requires Domain Admin Privileges