2. 2
Creds Extraction
Creds Extraction
To extract credentials first we need to understand where the credentials are stored.
Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols that
provides authentication, integrity, and confidentiality to users.
NTLM hashes are stored in the Security Account Manager (SAM) database and in Domain
Controller's NTDS.dit database.
Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating
systems that is responsible for enforcing the security policy on the system. It verifies users
logging on to a Windows computer or server, handles password changes, and creates access
tokens.
3. 3
MIMIKATZ
Mimikatz
Mimikatz is a tool well known to extract plaintexts passwords, hash, PIN code and kerberos
tickets from memory.
Mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with
certificates or private keys, vault.
There are 2 most common ways to use Mimikatz:
• Load Mimikatz at victim computer (most anti-viruses detect Mimikatz as a virus).
• Extract lsass.exe dump and load it on another computer.
4. 4
Extracting lsass dump
Lsass.exe dump
1. Open task manager
2. Find lsass.exe processes
3. Right click on the processes
4. Create Dump file (must be local administrator)
5. Go to %temp% folder and look for the file lssas.DMP
6. Copy the file to another computer
5. 5
Mimikatz and lsass
Extracting credentials
1. Open Mimikatz
2. Move the dump file to Mimikatz folder
3. Type the following commands:
I. privilege::debug
II. Sekurlsa::minidump lsass.dmp
III. Sekurlsa ::logonpasswords