{"id":462,"date":"2014-11-06T20:33:16","date_gmt":"2014-11-07T01:33:16","guid":{"rendered":"http:\/\/adsecurity.org\/?p=462"},"modified":"2016-01-03T14:28:10","modified_gmt":"2016-01-03T19:28:10","slug":"how-attackers-extract-credentials-hashes-from-lsass","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=462","title":{"rendered":"How Attackers Extract Credentials (Hashes) From LSASS"},"content":{"rendered":"<h5><strong>I performed extensive research on how attackers dump credentials from LSASS and Active Directory, including pulling the Active Directory database (ntds.dit) remotely. This information is covered in two newer and greatly expanded posts:<\/strong><\/h5>\n<ul>\n<li>\n<h5><strong><a href=\"https:\/\/adsecurity.org\/?p=2398\">How Attackers Dump Active Directory Database Credentials<\/a><\/strong><\/h5>\n<\/li>\n<li>\n<h5><strong><a href=\"https:\/\/adsecurity.org\/?p=2362\">Attack Methods for Gaining Domain Admin Rights in Active Directory<\/a><\/strong><\/h5>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>Attackers can pull credentials from LSASS using a variety of techniques:<\/strong><\/p>\n<ol>\n<li>Dump the LSASS process from memory to disk using <a href=\"http:\/\/technet.microsoft.com\/en-us\/sysinternals\/dd996900.aspx\">Sysinternals ProcDump.<\/a> Since ProcDump is a signed Microsoft utility, AV usually doesn&#8217;t trigger on it. ProcDump creates a minidump of the target process from which <a title=\"Mimikatz and Active Directory Kerberos Attacks\" href=\"https:\/\/adsecurity.org\/?p=556\">Mimikatz<\/a> can extract credentials.<\/li>\n<li>The legitimate <a href=\"https:\/\/labs.vmware.com\/flings\/vmss2core\">VMWare tool Vmss2core <\/a>can be used to dump memory from a suspended VM (*.vmss) or saved VM (*.vmsn) file. The <a href=\"https:\/\/code.google.com\/p\/volatility\/\">Volatility Framework<\/a> can extract the hashes.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<blockquote><p>We all love grabbing credentials from Window machines that we have compromised, wether they are in clear-text or hashes. Sometimes, however, it is not possible to get those credentials immediately if at all. In this tutorial I want to briefly show two cases where you can dump memory to disk (exfiltrate it) and extract the credentials at a later time. I will demonstrate these test cases on a 32-bit Windows 7 VM that I use for testing purposes, these techniques should however apply to a wide variety of Windows builds.<\/p>\n<p>Links:<br \/>\nProcDump \/\/ Windows Sysinternals &#8211; <a href=\"http:\/\/technet.microsoft.com\/en-us\/sysinternals\/dd996900.aspx\">here<\/a><br \/>\nMimikatz \/\/ Blog de Gentil Kiwi &#8211; <a href=\"http:\/\/blog.gentilkiwi.com\/mimikatz\">here<\/a><br \/>\nThe Volatility Foundation \/\/ Homepage &#8211; <a href=\"http:\/\/www.volatilityfoundation.org\/\">here<\/a><br \/>\nVmss2core \/\/ VMWare Labs &#8211; <a href=\"https:\/\/labs.vmware.com\/flings\/vmss2core\">here<\/a><br \/>\nVMware Snapshot and Saved State Analysis \/\/ Volatility Labs &#8211; <a href=\"http:\/\/volatility-labs.blogspot.be\/2013\/05\/movp-ii-13-vmware-snapshot-and-saved.html\">here<\/a><\/p><\/blockquote>\n<h4>Read the details at <a href=\"http:\/\/www.fuzzysecurity.com\/tutorials\/18.html\">FuzzySecurity.com<\/a><\/h4>\n<p><span style=\"text-decoration: underline;\"><strong>References:<\/strong><\/span><\/p>\n<ul>\n<li><a title=\"Mimikatz and Active Directory Kerberos Attacks\" href=\"https:\/\/adsecurity.org\/?p=556\">Mimikatz and Active Directory Kerberos Attacks<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>I performed extensive research on how attackers dump credentials from LSASS and Active Directory, including pulling the Active Directory database (ntds.dit) remotely. This information is covered in two newer and greatly expanded posts: How Attackers Dump Active Directory Database Credentials Attack Methods for Gaining Domain Admin Rights in Active Directory &nbsp; Attackers can pull credentials &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=462\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[172,11,2],"tags":[237,243,207,44,241,240,239,238,242],"class_list":["post-462","post","type-post","status-publish","format-standard","hentry","category-hypervisor-security","category-microsoft-security","category-technical-reference","tag-dumpinglsass","tag-extracthashlsass","tag-mimikatz","tag-passthehash","tag-sysinternalsprocdump","tag-vmcoredump","tag-vmwarevmss2core","tag-volatilityframework","tag-windowshash","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=462"}],"version-history":[{"count":5,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/462\/revisions"}],"predecessor-version":[{"id":2460,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/462\/revisions\/2460"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}