RSS Feed
Articles
-
Extracting credentials from a remote Windows system - Living off the Land
Recently we performed a red teaming engagement where we wanted to dump the credentials from a remote host. We got the credentials of a user which has administrative privileges on the victim host and wanted to get more credentials from that host. Because we felt that the blue team was closely observing the environment this needed to be done in a stealthy manner and preferably only involving native Windows tooling. That is when we came up with the following approach in order to obtain a remote system’s
SYSTEM
,SECURITY
andSAM
files from%SystemRoot%\System32\Config
making use of WMI and SMB. This approach can also be used to obtain thentds.dit
file from a Domain Controller in order to obtain the credentials of the complete organization.
PREV
1 of 1
NEXT