EJPTV2 Cheat Sheet by - Yash Mehta
  • Information Gathering & Enumeration
    • Reconnaissance
      • Passive information gathering
      • Active information gathering
    • Enumeration
      • SMTP
      • MySQL Enum
        • Metasploit
        • Mysql tool,Brute force
        • Nmap
      • HTTP Enum
        • random tools
        • Nmap
        • Metasploit
      • SSH Enum
        • Nmap,Login,Hydra
        • Metasploit Modules
        • Metasploit Brute force
      • FTP Enum
        • nmap,hydra,Login
        • Metasploit
      • SMB Enum
        • smbmap
        • nmap
        • smbclient,rpcclient,enum4linux
        • metasploit,hydra
      • SMTP Enum
    • Vulnerability Scanning
      • WMAP(web application vulnerability scanner)
      • Nessus
      • Metasploit
  • Vulnerabilities in services
    • IIS WEBDAV
    • SMB/SAMBA
    • RDP
    • WinRm
    • APACHE
    • FTP
    • SSH
    • HTTP
    • SMTP
    • PHP
    • MySQL
    • Sun Glassfish
    • Workflow platform(Processmaker)
  • Exploitation
    • Windows Exploitation
      • IIS WebDav
        • msfvenom,metasploit
      • SMB
        • Brute force and Login
        • Eternal blue vulnerability
      • RDP
        • Bruteforce and Login
        • Bluekeep
      • WinRm
        • Brute force and Authentication
      • HTTP
        • HttpFileServer httpd 2.3(Rejetto)
        • BadBlue httpd 2.7
      • MySQL
      • Workflow platform(Processmaker)
      • Sun GlassFish
      • CVE-2021-44228 - Apache Log4j
      • Apache Tomcat
    • Linux Exploitation
      • Apache httpd 2.4.7-XODA Vulnerability
      • Sun Glassfish
      • Apache-Shellshock(Bash)
        • Metasploit Exploitation
      • FTP
        • Brute Force
        • ProFTPD 1.3.3c
        • vsftpd 2.3.4 - Backdoor Command Execution
      • SSH
        • Brute Force
        • libssh Authentication Bypass Scanner
      • SAMBA
        • Brute Force
        • Samba smbd 3.X - 4.X (Samba 3.5.0 -RCE)
      • SMTP
        • Brute Force
        • Haraka < 2.8.9 - Remote Command Execution
      • PHP
        • PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection
      • CVE-2021-44228 - Apache Log4j
    • Payloads
      • Encoding Payloads
      • Injecting Payloads into PEs
  • Post Exploitation
    • Privilege Escalation
      • Windows Privilege Escalation
        • Win Kernel Privesc
        • UAC Bypass Akagai64.exe
        • UAC Bypass:Memory Injection
        • PrivescCheck script
        • Access Token
        • Credentials Dumping
      • Linux Privilege Escalation
        • Cron Jobs
        • SUID
        • chkrootkit 0.49
        • Misconfigured Permissions Files
        • Misconfigured SUDO Privileges
        • Credentials Dumping
    • Hash Dumping
      • Windows hash dumping
        • MimiKatz,Kiwi
        • Pass the hash
      • Linux Hash Dumping
      • Crack the Hash
        • Windows Hash cracking
        • Linux Hash Cracking
        • Metasploit
    • Pivoting
    • Transferring Files
    • Meterpreter
      • Commands
      • Shell to Meterpreter
    • Persistence
      • Windows Persistence
        • persistence_service msf module
        • Enabling RDP(msf,admin password change)
        • Enabling RDP & New user
      • Linux Persistence
        • Adding backdoor user
        • SSHkey persistence module
        • Persistence via SSH Keys
        • Cron Jobs
    • Clearing Tracks
      • Windows clearing tracks
      • Linux clearing tracks
    • Local Enumeration
      • Windows Local Enumeration
      • Linux Local Enumeration
  • Web App Pentesting
Powered by GitBook
On this page
  1. Post Exploitation

Hash Dumping

PreviousCredentials DumpingNextWindows hash dumping

Last updated 1 year ago

(Security Accounts Manager) is a database file stored within C:\Windows\System32\config. It is used to authenticate local and remote users and uses cryptographic measures to prevent unauthenticated users from accessing the system. On a Domain Controller, it simply stores passwords hashes in HKEY_LOCAL_MACHINE\SAM.

  • All the hashed user account passwords are stored in the SAM database

  • SAM db file cannot be copied while the O.S. is running

  • SAM db is encrypted with a SysKey

🗒️ Hashing - the process of transforming any given piece of data into another value, using a hash function to generate the new value according to a algorithm.

  • the result is called hash/hash value

Storing passwords locally is a big security risk, specially if stored unencrypted and in clear-text strings.

  • LM and NTLM are two types of hashes, utilized in versions up to Windows Server 2003

  • NTLM only is used from Windows Vista onwards

🗒️ (Local Security Authority) - the central component of the Windows security subsystem, responsible for enforcing the security policy of the system, e.g. authentication, credentials verification, etc.

The Windows NT Kernel keeps the SAM database file locked.

  • An attacker utilize in-memory attack techniques and hash dumping tools to interact with the LSASS process

❗ Elevated privileges are required for LSASS process interaction.

Password Hashes

🗒️ LM - default hashing algorithm implemented in Windows prior to NT4.0

  • outdated and weak protocol, easily crackable

  • disabled by default since Windows Vista/Server 2008

🗒️ NTLM (NTHash) - a collection of authentication protocols and the currently used algorithm for storing passwords on modern Windows systems.

  • Algorithm - the password is encrypted using the MD4 hashing algorithm and the original password is disposed of

    • No split of the hash

    • It is case sensitive

    • Allows symbols and unicode chars

    • NTLMv1, NTLMv2 - challenge response protocols used for authentication in Windows environments

  • NTLM (NT) hashes do not have password salts - can be cracked through a brute-force / dictionary attacks.

  • It allows legitimate access to the target system, without exploitation

  • Administrator user's NTLM hash comes useful after a service is being patched or disabled and can no longer be exploited

(PtH) is an exploitation technique that involves harvesting NTLM hashes and reusing them to authenticate with the target legitimately.

SAM
LSA
Pass-the-hash