Link to this headingDumping Passwords

Dump Windows password hashes efficiently

Link to this headingPhysical access

  • bkhive - dumps the syskey bootkey from a Windows system hive.
  • samdump2 - dumps Windows 2k/NT/XP/Vista password hashes.

Link to this headingSAM Registry file

Contains LM/NTLM hashes of local users

Dump SAM from unencrypted Hard Drive:

mkdir -p /mnt/sda1 mount /dev/sda1 /mnt/sda1 bkhive /mnt/sda1/Windows/System32/config/SYSTEM /tmp/saved-syskey.txt samdump2 /mnt/sda1/Windows/System32/config/SAM /tmp/saved-syskey.txt > /tmp/hashes.txt

Link to this headingSECURITY Registry File

Contains cached credentials, LSA Secrets (account passwords for services, password used to logon to Windows if auto-logon is enabled)

Link to this headingNTDS.dit file

Contains hashes of domain accounts, Domain Backup Key

Link to this headingSYSTEM registry hive/file:

Contains the SysKey, that need to decrypt SAM/LSA Secrets/Cached credentials/NTDS.dit

Link to this headingBypass login prompt

  • BootRoot loads backdoor on bootup to bypass login.
  • SysRQ2 is a bootable CD image that allows a user to open a fully privileged (SYSTEM) command prompt on Windows 2000, Windows XP, and Windows Server 2003 systems by pressing Ctrl+Shift+SysRq at any time after startup.
  • Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel and Windows kernel on the fly (while booting).

Link to this headingPassword Reset

Alternatively you can boot the machine with the bootdisk live CD or USB stick and use the chntpw utility to reset any Windows local user’s credentials.

Link to this headingLASS Memory

Process is usually data protected by LsaProtectMemory and can be unprotected by LsaUnprotectMemory.

The lass.exe process includes

  • clear-text passwords of logged on users
  • Kerberos tickets,
  • Kerberos encryption keys
  • SmartCard/Token PIN codes
  • LM/NTLM hashes
  • DPAPI Domain Backup Key
  • Domain Trust Auth Information
  • cached DPAPI MasterKeys
  • cached SysKey (need to decrypt SAM/LSA Secrets/Cached credentials/NTDS.dit),
  • clear-text passwords of accounts, stored in Credential Manager

Link to this headingMimikatz

Enable MultiRDP:

mimikatzs ts::multirdp

DRSUAPI grabbing of hashes:

mimikatzs lsadump::dcsync /all /csv

Link to this headingFrom Memory

Look for the hibernation file, ntds.dit file, shadow copy files

Link to this headingTroubleshooting

HANDLE Error:

  1. Actually RDP into the box and run mimikatz with privilege::debug
  2. Then LSASS is running as a Protected Process (Server 2012 R2 and newer)
    • Load mimidrv.sys (May crash the system)
    • Patch the kernel so PsSetCreateProcessNotifyRoutineEx callback is not run and AV is not notified that a new process has been created.
  3. SassyKitdi: Kernel Mode TCP Sockets + LSASS Dump