LSA secrets dump
This technique attempts to crack passwords stored in the Registry (HKEY_LOCAL_MACHINE/Security/Policy/Secrets) by the Local Security Authority Subsystem (LSASS). The Registry is loaded into RAM when the machine boots up. Stored passwords include:
- Default administrator password from installation
- Internet Explorer passwords
- Remote Access connection passwords
- SYSTEM account passwords
- EFS encryption keys
You can dump hashes directly from the Registry hives HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SAM and pass them to a cracker.
- Must be in SYSTEM privilege or using SYSTEM token
- Extract hashes and credentials directly from the Registry
- Extract hashes through DLL injection into the lsass.exe process
User token dump
By inspecting memory and running processes, you can view which processes are owned by various users. You can then steal and use one of the user tokens to impersonate that user. Anything you do will be in the context of that user, and will be logged as having been performed by that user.
Windows Vault dump
The Windows Vault is a set of local files that store credentials for:
- Internet Explorer 10.0/11.0 and Microsoft Edge (Windows 8 or later)
- Windows Mail (Windows 8 or later)
- Microsoft Account (Hotmail, Live, MSN, Office 365, OneDrive, etc.)
- Windows Explorer Network Drive Mappings
- Online credentials for various websites
- Single sign-on (SSO) passwords
Files are located in several places:
- C:\Users\[User Profile]\AppData\Local\Microsoft\Vault
Dump the hash of the krbtgt account from the memory of a server with a service that uses a domain-based user account, and use it to create new golden tickets. These allow any domain user to request the Ticket Granting Ticket from a domain service account and crack the account's plaintext password offline. This is significant because many services have admin privilege and their passwords are seldom changed.
Note: For more information on kerberoasting, see https://pentestlab.blog/2018/06/12/kerberoast/ and https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/.
SYSKEY boot key
You can extract the SYSKEY boot key parts from the Registry and crack it so it can be used to decrypt the SAM, LSA secrets, and cached domain passwords. The Registry keys that store this information are:
Cached domain login dump
By default, Windows domain members (from XP on) cache domain credentials for users who try to log on to the domain but no domain controller is available. This cache is stored in HKEY_LOCAL_MACHINE/Security/CACHE/NL$X. The default policy is to allow these cached credentials to be used 10 times before a domain controller must be reached. The Local System can extract these values.
Offline SAM cracking
You must get a copy of the Registry keys from HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SAM or the physical files they're loaded from and send those to the cracker.
- Copy the HKLM\SAM and HKLM\SYSTEM hives reg.exe or regedit.exe:
- regedit --> Right-click HKLM\SYSTEM --> Export
- regedit --> Right-click HKLM\SAM --> Export
- reg.exe save HKLM\SYSTEM sysback.hiv
- reg.exe save HKLM\SAM sambak.hiv
- Use cscript vssown.vbs to make a Volume Shadow Copy, then use the copy command to extract the two physical files from it:
- copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
- csript vssown.vbs /create
- Boot another OS and copy the two physical files: %WINDIR%\System32\Config\SAM, %WINDIR%\System32\Config\SYSTEM.
Offline Active Directory cracking
Steal a copy/backup of Active Directory database file on a domain controller. Located at %SystemRoot%\NTDS\Ntds.dit. Perform offline cracking on the file.
Read and crack the cPassword value from the Group Policy Preferences (GPP) file. This is located in the SYSVOL share of any Active Directory domain controller. Domain admins use this optional setting to standardize local account (usually administrator) passwords on all workstations/member servers across the domain. MS14-025.
Install a physical- or software-based keylogger on a computer to capture a user's login credentials.
Trick a user into revealing their password to you through shoulder surfing (including mobile device across-the-room camera recording), Wi-Fi evil twins, phishing emails, bogus login pages, etc.
Unattended installation answer file dump
Steal the answer file used in a Windows unattended installation, as the local administrator password is stored in cleartext. If you can edit the file, you can also make sure that the Microsoft-Windows-Shell-Setup\UserAccounts\AdministratorPassword section is added so that the administrator is not prompted to change their password on first logon so the stolen password will be usable on that machine.
Hard drive overwriting
Boot into another operating system and erase/overwrite the location on disk where the password is stored (C:\Windows\System32\Config).