IM
Uploaded byIlan Mindel
190 views

Creds extraction

The document discusses credential extraction techniques on Windows systems. It explains that NTLM hashes are stored in the SAM database and Domain Controller's NTDS.dit database, while the LSASS process handles password authentication. Mimikatz is introduced as a tool to extract plaintexts passwords, hashes, and tickets from memory. The document provides steps to use Mimikatz to dump the LSASS process and extract credentials from the dump file.

Embed presentation

Infrastructure Creds Extraction 1
2 Creds Extraction Creds Extraction To extract credentials first we need to understand where the credentials are stored. Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM hashes are stored in the Security Account Manager (SAM) database and in Domain Controller's NTDS.dit database. Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.
3 MIMIKATZ Mimikatz Mimikatz is a tool well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault. There are 2 most common ways to use Mimikatz: • Load Mimikatz at victim computer (most anti-viruses detect Mimikatz as a virus). • Extract lsass.exe dump and load it on another computer.
4 Extracting lsass dump Lsass.exe dump 1. Open task manager 2. Find lsass.exe processes 3. Right click on the processes 4. Create Dump file (must be local administrator) 5. Go to %temp% folder and look for the file lssas.DMP 6. Copy the file to another computer
5 Mimikatz and lsass Extracting credentials 1. Open Mimikatz 2. Move the dump file to Mimikatz folder 3. Type the following commands: I. privilege::debug II. Sekurlsa::minidump lsass.dmp III. Sekurlsa ::logonpasswords

More Related Content

PPTX
Tunneling
byIlan Mindel
 
PPTX
Password cracking
byIlan Mindel
 
PPT
Module 4 Enumeration
byleminhvuong
 
PDF
Introduction to Exploitation
byUTD Computer Security Group
 
PPTX
Reverse shell
byIlan Mindel
 
PPTX
Responder PPT
byIlan Mindel
 
PPTX
UTD Computer Security Group - Cracking the domain
byUTD Computer Security Group
 
PPTX
Ports and services
byIlan Mindel
 
Tunneling
byIlan Mindel
 
Password cracking
byIlan Mindel
 
Module 4 Enumeration
byleminhvuong
 
Introduction to Exploitation
byUTD Computer Security Group
 
Reverse shell
byIlan Mindel
 
Responder PPT
byIlan Mindel
 
UTD Computer Security Group - Cracking the domain
byUTD Computer Security Group
 
Ports and services
byIlan Mindel
 

What's hot

PPTX
System hacking
byCAS
 
PPT
Module 8 System Hacking
byleminhvuong
 
PPT
Intro To Hacking
bynayakslideshare
 
PPT
Inside Out Hacking - Bypassing Firewall
byamiable_indian
 
PDF
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
PPTX
Phases of penetration testing
byAbdul Rahman
 
PPT
Hacking Fundamentals - Jen Johnson , Miria Grunick
byamiable_indian
 
PPTX
Ssh (The Secure Shell)
byMehedi Farazi
 
DOCX
Hackers dictionary
byTabraiz Bukhari
 
PDF
Строим ханипот и выявляем DDoS-атаки
byPositive Hack Days
 
PPT
Secure shell ppt
bysravya raju
 
PPTX
Introduction to SSH & PGP
bySarang Ananda Rao
 
PPTX
Backtrack
byn|u - The Open Security Community
 
PDF
Suricata
bytex_morgan
 
PPTX
Computer networks and network security
byUTD Computer Security Group
 
PDF
暗認本読書会9
byMITSUNARI Shigeo
 
PDF
Network Exploitation
byUTD Computer Security Group
 
PPT
Introduction to SSH
byHemant Shah
 
PDF
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
byLeszek Mi?
 
PPTX
What is DDoS ?
byVikas Phonsa
 
System hacking
byCAS
 
Module 8 System Hacking
byleminhvuong
 
Intro To Hacking
bynayakslideshare
 
Inside Out Hacking - Bypassing Firewall
byamiable_indian
 
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
Phases of penetration testing
byAbdul Rahman
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
byamiable_indian
 
Ssh (The Secure Shell)
byMehedi Farazi
 
Hackers dictionary
byTabraiz Bukhari
 
Строим ханипот и выявляем DDoS-атаки
byPositive Hack Days
 
Secure shell ppt
bysravya raju
 
Introduction to SSH & PGP
bySarang Ananda Rao
 
Backtrack
byn|u - The Open Security Community
 
Suricata
bytex_morgan
 
Computer networks and network security
byUTD Computer Security Group
 
暗認本読書会9
byMITSUNARI Shigeo
 
Network Exploitation
byUTD Computer Security Group
 
Introduction to SSH
byHemant Shah
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
byLeszek Mi?
 
What is DDoS ?
byVikas Phonsa
 

Similar to Creds extraction

PPTX
Windows 10 CredentialGuard vs Mimikatz - SEC599
byErik Van Buggenhout
 
PDF
LNK Payload exploit in windows
byssuser1d7287
 
PPTX
Mimikatz
byrishabh sharma
 
PPTX
Windows post exploitation
byyarden hanan
 
PPTX
Credential provider
byCysinfo Cyber Security Community
 
PDF
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
PDF
CREST CCT Lab Prep Notes
byNathanAn
 
PPTX
Mitre Attack - Credential Dumping - updated.pptx
bywaizuq
 
PDF
_Hackercool - September 2021.pdf
byssuser5e1b13
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PDF
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
byCODE BLUE
 
DOCX
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
byEstelaJeffery653
 
PDF
Mimikatz
byprashant3535
 
PDF
Ethical hacking mind map
bydasdwwe1
 
PDF
Practical White Hat Hacker Training - Post Exploitation
byPRISMA CSI
 
PDF
mimikatz attach stypes - mimikatx attach
byssuser82a6381
 
PPTX
Windows Malware Techniques
byLee C
 
PPT
Class Presentation
bywebhostingguy
 
PPTX
Fall of a domain | From local admin to Domain user hashes
byn|u - The Open Security Community
 
PDF
Offensive Security with Metasploit
byegypt
 
Windows 10 CredentialGuard vs Mimikatz - SEC599
byErik Van Buggenhout
 
LNK Payload exploit in windows
byssuser1d7287
 
Mimikatz
byrishabh sharma
 
Windows post exploitation
byyarden hanan
 
Credential provider
byCysinfo Cyber Security Community
 
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
CREST CCT Lab Prep Notes
byNathanAn
 
Mitre Attack - Credential Dumping - updated.pptx
bywaizuq
 
_Hackercool - September 2021.pdf
byssuser5e1b13
 
Attacker's Perspective of Active Directory
bySunny Neo
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
byCODE BLUE
 
CHAPTER 26 WINDOWS SECURITY 26.1 FUNDAMENTAL
byEstelaJeffery653
 
Mimikatz
byprashant3535
 
Ethical hacking mind map
bydasdwwe1
 
Practical White Hat Hacker Training - Post Exploitation
byPRISMA CSI
 
mimikatz attach stypes - mimikatx attach
byssuser82a6381
 
Windows Malware Techniques
byLee C
 
Class Presentation
bywebhostingguy
 
Fall of a domain | From local admin to Domain user hashes
byn|u - The Open Security Community
 
Offensive Security with Metasploit
byegypt
 

More from Ilan Mindel

PPTX
Responder
byIlan Mindel
 
PPTX
Xxe
byIlan Mindel
 
PPTX
Formula injection/DDE/Macro
byIlan Mindel
 
PPTX
Sql injection
byIlan Mindel
 
PPTX
Lfi rfi
byIlan Mindel
 
PPTX
Ssrf
byIlan Mindel
 
PPTX
Xss
byIlan Mindel
 
Responder
byIlan Mindel
 
Xxe
byIlan Mindel
 
Formula injection/DDE/Macro
byIlan Mindel
 
Sql injection
byIlan Mindel
 
Lfi rfi
byIlan Mindel
 
Ssrf
byIlan Mindel
 
Xss
byIlan Mindel
 

Recently uploaded

PPT
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
PPTX
mc l2 Overview of Computer and Web-Technology.pptx
byavanikharde
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PPTX
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
PPTX
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
PPT
html-forms in web development-courseICT.
bymadz33
 
PPTX
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
PPTX
Computer Networks 01[1 using all terms].pptx
bywaqasahmedbhatti633
 
PDF
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
PPT
Memory Organization In Assembly Language
byumairmuhammad0409
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PPTX
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
PDF
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PDF
Top 5 Snapchat Tracker Apps for Safe and Responsible Monitoring
byMichael Carter
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
mc l2 Overview of Computer and Web-Technology.pptx
byavanikharde
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
html-forms in web development-courseICT.
bymadz33
 
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
Computer Networks 01[1 using all terms].pptx
bywaqasahmedbhatti633
 
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
Memory Organization In Assembly Language
byumairmuhammad0409
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
Top 5 Snapchat Tracker Apps for Safe and Responsible Monitoring
byMichael Carter
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 

Creds extraction

  • 1.
  • 2.
    2 Creds Extraction Creds Extraction Toextract credentials first we need to understand where the credentials are stored. Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM hashes are stored in the Security Account Manager (SAM) database and in Domain Controller's NTDS.dit database. Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.
  • 3.
    3 MIMIKATZ Mimikatz Mimikatz is atool well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault. There are 2 most common ways to use Mimikatz: • Load Mimikatz at victim computer (most anti-viruses detect Mimikatz as a virus). • Extract lsass.exe dump and load it on another computer.
  • 4.
    4 Extracting lsass dump Lsass.exedump 1. Open task manager 2. Find lsass.exe processes 3. Right click on the processes 4. Create Dump file (must be local administrator) 5. Go to %temp% folder and look for the file lssas.DMP 6. Copy the file to another computer
  • 5.
    5 Mimikatz and lsass Extractingcredentials 1. Open Mimikatz 2. Move the dump file to Mimikatz folder 3. Type the following commands: I. privilege::debug II. Sekurlsa::minidump lsass.dmp III. Sekurlsa ::logonpasswords