Recommended
More Related Content
What's hot
What's hot (20)
Similar to Creds extraction
Similar to Creds extraction (20)
More from Ilan Mindel
More from Ilan Mindel (7)
Recently uploaded
Recently uploaded (20)
Creds extraction
- 2. 2 Creds Extraction Creds Extraction To extract credentials first we need to understand where the credentials are stored. Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM hashes are stored in the Security Account Manager (SAM) database and in Domain Controller's NTDS.dit database. Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.
- 3. 3 MIMIKATZ Mimikatz Mimikatz is a tool well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault. There are 2 most common ways to use Mimikatz: • Load Mimikatz at victim computer (most anti-viruses detect Mimikatz as a virus). • Extract lsass.exe dump and load it on another computer.
- 4. 4 Extracting lsass dump Lsass.exe dump 1. Open task manager 2. Find lsass.exe processes 3. Right click on the processes 4. Create Dump file (must be local administrator) 5. Go to %temp% folder and look for the file lssas.DMP 6. Copy the file to another computer
- 5. 5 Mimikatz and lsass Extracting credentials 1. Open Mimikatz 2. Move the dump file to Mimikatz folder 3. Type the following commands: I. privilege::debug II. Sekurlsa::minidump lsass.dmp III. Sekurlsa ::logonpasswords