Credentials
Browser Credentials
SharpChrome can read and decrypt saved browser credentials. Works from medium-integrity context.
execute-assembly C:\Tools\SharpDPAPI\SharpChrome\bin\Release\SharpChrome.exe loginsWindows Credential Manager
Stores credentials for RDP connections, etc. Works from medium-integrity context.
# Enumerate saved credentials
execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault
# Decrypt via DC using DPAPI backup key
execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe credentials /rpcOS Credential Dumping
OPSEC WARNING: Avoid dumping credentials from LSASS. Security drivers use
ObRegisterCallbacksto detect handles to LSASS.
Logon Passwords (AVOID)
Crack NTLM with hashcat mode 1000:
Kerberos Encryption Keys (AVOID)
Note: Mimikatz incorrectly labels hashes as des_cbc_md4. Check length:
64 chars =
aes256-cts-hmac-sha1-9632 chars =
aes128-cts-hmac-sha1-96orrc4_hmac
Crack AES256 with hashcat mode 28900:
SAM Database (SAFE)
Does not touch LSASS - safe to run.
LSA Secrets (SAFE)
Contains service account passwords, machine account password, EFS keys.
Cached Domain Credentials
MSCacheV2 hashes - slow to crack.
AS-REP Roasting
OPSEC WARNING: Each AS-REP generates 4768 event. Don't roast the whole domain.
Enumerate Vulnerable Users First
Roast Specific User
Crack Hash
Kerberoasting
OPSEC WARNING: Don't roast every SPN. Triage targets first.
Enumerate SPNs First
Roast Specific SPN
Crack Hash
Extracting Tickets from Memory
OPSEC SAFE: Uses LSA APIs (
LsaCallAuthenticationPackage), doesn't open handle to LSASS.
Requires high-integrity to dump other users' tickets.
Triage Tickets
Look for tickets with krbtgt service - these are TGTs.
Dump Specific Ticket
Impersonate User with Ticket
Renewing TGTs
TGTs can be renewed every 10 hours until RenewTill date.
Check Ticket Validity
Renew Ticket
Last updated