Credentials

Browser Credentials

SharpChrome can read and decrypt saved browser credentials. Works from medium-integrity context.

execute-assembly C:\Tools\SharpDPAPI\SharpChrome\bin\Release\SharpChrome.exe logins

Windows Credential Manager

Stores credentials for RDP connections, etc. Works from medium-integrity context.

# Enumerate saved credentials
execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault

# Decrypt via DC using DPAPI backup key
execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe credentials /rpc

OS Credential Dumping

OPSEC WARNING: Avoid dumping credentials from LSASS. Security drivers use ObRegisterCallbacks to detect handles to LSASS.

Logon Passwords (AVOID)

Crack NTLM with hashcat mode 1000:

Kerberos Encryption Keys (AVOID)

Note: Mimikatz incorrectly labels hashes as des_cbc_md4. Check length:

• 64 chars = aes256-cts-hmac-sha1-96

• 32 chars = aes128-cts-hmac-sha1-96 or rc4_hmac

Crack AES256 with hashcat mode 28900:

SAM Database (SAFE)

Does not touch LSASS - safe to run.

LSA Secrets (SAFE)

Contains service account passwords, machine account password, EFS keys.

Cached Domain Credentials

MSCacheV2 hashes - slow to crack.

AS-REP Roasting

OPSEC WARNING: Each AS-REP generates 4768 event. Don't roast the whole domain.

Enumerate Vulnerable Users First

Roast Specific User

Crack Hash

Kerberoasting

OPSEC WARNING: Don't roast every SPN. Triage targets first.

Enumerate SPNs First

Roast Specific SPN

Crack Hash

Extracting Tickets from Memory

OPSEC SAFE: Uses LSA APIs (LsaCallAuthenticationPackage), doesn't open handle to LSASS.

Requires high-integrity to dump other users' tickets.

Triage Tickets

Look for tickets with krbtgt service - these are TGTs.

Dump Specific Ticket

Impersonate User with Ticket

Renewing TGTs

TGTs can be renewed every 10 hours until RenewTill date.

Check Ticket Validity

Renew Ticket