Dumping Hashes
Once we have access to an administrator account (local admin or domain admin), we might want to dump the hashes of all users from specific hosts or from the entire domain. CrackMapExec has a lot of features to perform this quite easily and using a lot of techniques integrating third-parties tools and scripts.
SAM
The SAM database is where all local users passwords are stored. We can dump SAM database by using the --sam
flag.
NTDS Active Directory Database
The NTDS Active Directory Database is located on the Domain Controller and stores all information related to the domain and its objects. Among others things, the NTDS database stores all domain user hashes. To dump the NTDS database hashes have to get access to a domain admin or a user with replication/DCSync rights. CrackMapExec comes with the option --ntds
to dump the NTDS database.
Two useful options can be specified when dumping the NTDS database with CME. The --user
flag allows to dump the hash for a specific user while the --enabled
flag could be specified to dump only enabled user hashes.
LSA Secrets/Cached Credentials
The --lsa
flag can be use to dump the hash from the Local Security Authority Secrets in charge of storing secrets for the LSA. Cached credentials are stored in the LSA Secrets storage and can be identified by the $DCC2$
format.
Cached credentials are harder to crack than NTLM hashes.
LSASS
LSASS stands for Local Security Authority Subsystem Service. It is a crucial service of Windows in charge of security policy and authentication of users. LSASS keeps the user credentials in memory so they do not have to authenticate each time they use a service. The LSASS memory can be dump using various techniques that CrackMapExec included as modules very handy to use. Clear text credentials can be obtained by dumping the content of the LSASS memory.
LSSASY
Procdump
HandleKatz
Nanodump
Last updated