Credential Dumping
ID: T1003 Tactic: Credential Access
Credential dumping is the process of obtaining account login password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

Windows

SAM (Security Accounts Manager)
The SAM is a database file that contains local accounts for the host, typically those found with the net usercommand. To enumerate the SAM database, system level access is required. A number of tools can be used to retrieve the SAM file through in-memory techniques:
  • pwdumpx.exe
  • gsecdump
  • Mimikatz
  • secretsdump.py
Alternatively, the SAM can be extracted from the Registry with Reg:
  • reg save HKLM\sam sam
  • reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.
Notes: Rid 500 account is the local, in-built Administrator.Rid 501 is the Guest account. user accounts start with a RID of 1,000+.

Cached Credentials

The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. Then number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks. A number of tools can be used to retrieve the SAM file through in-memory techniques.
  • pwdumpx.exe
  • gsecdump
  • Mimikatz
Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
Notes: Cached credentials for Windows Vista are derived using PBKDF2

Local Security Authority (LSA) Secrets

With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets. When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well. A number of tools can be used to retrieve the SAM file through in-memory techniques.
  • pwdumpx.exe
  • gsecdump
  • Mimikatz
  • secretsdump.py
Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather credentials.
Notes: The passwords extracted by this mechanism are UTF-16 encoded, which means that they are returned in plaintext. Windows 10 adds protections for LSA Secrets described in Mitigation.

NTDS from Domain Controller

Active Directory stores information about members of the domain including devices and users to verify credentials and defines access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
  • Volume Shadow Copy
  • secretsdump.py
  • Using the in-built Windows tool, ntdsutil.exe
  • Invoke-Ninja

Group Policy Preference (GPP) Files

Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts,
There group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password(the AES private key was leaked on-line).
The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
  • Metasploit's post exploitation module: "post/windows/gather/credentials/gpp"
  • Get-GPPPassword
  • gpprefdecrypt.py
Notes: On the SYSVOL share, the following can be used to enumerate potential XMK files. dir /s * .xml

Service Principal Name (SPNs)

See Kerberoasitng​

Plaintext Credentials

After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority SubSystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.
SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.
The following SSPs can be used to access credentials:
  1. 1.
    Msv: Interactive logons, batch logongs, and service logons are done through the MSV authentication package.
  2. 2.
    Wdigest: The Digest Authentication protocol is designed for use with Hyper Text Protocol (HTTP) ans Simple Authentication Security Layer (SASL) exchanges.
  3. 3.
    Kerberos: Preferred for mutual cleint-server domain authentication in Windows 2000 and later.
  4. 4.
    CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.
The following tools can be used to enumerate credentials:
  • Windows Credential Editor
  • Mimikatz
As well as in-memory techniques, the LSASS process memory can be dumped form the target host and analyzed on a local system.
For example, on the target host use procdump:
  • procdump -ma lsass.exe lsass_dump
Locally, mimikatz can be run:
  • sekurlsa::Minidump lsassdump.dmp
  • sekurlsa::logonpasswords

DCSync

DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data. from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket or change an account's password as noted in Account manipulation. DCSync functionality has been included in the "lsadump" module in Mimikatz. Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.
Demo:

Mimikatz

Let's demonstrate Mimikatz for starters I have a command prompt running as Administrator this is needed for dumping creds (high-level permissions).
Just simply run and we will get the mimikatz interface.
We can run the privilege::debugmodule to debug any of the processes that we are running or that we usually don't have access to.
From here we can start and dumping hashes, if we are lucky enough we might get even clear-text credentials. Hashes can be dumped with sekurlsa::logonpasswords.
Mimikatz
Then here we our hashes, not lucky enough to hold any clear-text passwords, but we got a hash we can use techniques such as Pass the hash or crack the hash itself and find a clear-text password. I used Crackstation to find the password for this hash.

ProcDump

Great but what if this happens?
Mimikatz got detected what other ways can we dump hashes? Well here come in Sysinternals again with procdump binary this binary dump a process and we can then work with it offline in another machine with mimikatz.
Then we can view a dmp file saved in the working directory.
There are a few ways to extract to content of the dmp file we can move to a different machine and use mimikatz offline, or we can use volatility to extract content from the file, there is also this awesome mimikatz written in python called pypykatz will use this one to extract the Credentials. (more info will be referenced below).

MiniDumpW

Now let's say procdump get's flagged security is tight and even Windows Trusted Binaries are being flagged here comsvc.dll is a DLL that exports a function called MiniDumpW and it was designed to work specifically with rundll32 it requires 3 parameters where the third one is the cause they are well know for Pentesters and Red Teamers to be using these. There is also:
Executing a native comsvcs.dll DLL found in Windows\system32 with rundll32:
keyword full here is the following syntax.
This needs to be run as SYSTEM
1
.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full
Copied!
Let's search for the process id of our lsass.exe running on our target machine.
Then from here we can run the syntax with the proper parameters.
Again a dmp file that we can move to our attacking machine and extract credentials offline.
Then again we can use pypykatz (or any personal preference, Mimikatz, Volatility) and grab hashes again.
Last modified 1yr ago