mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
GitBook: [#3228] No subject
This commit is contained in:
parent
eb8ae2eee0
commit
43960f826e
2 changed files with 22 additions and 1 deletions
|
@ -466,11 +466,16 @@ Inside the EventID 4634/4647 there are interesting sub-types:
|
|||
* **3 (network)**: Connection to a shared folder
|
||||
* **4 (Batch)**: Process executed
|
||||
* **5 (service)**: Service started by the Service Control Manager
|
||||
* **7**: Screen unblocked using password
|
||||
* **6 (proxy):** Proxy Login
|
||||
* **7 (Unlock)**: Screen unblocked using password
|
||||
* **8 (network cleartext)**: User authenticated sendin clear text passwords. This event use to come from the IIS
|
||||
* **9 (new credentials)**: It's generated when the command `RunAs` is used or the user access to a network service with different credentials.
|
||||
* **10 (remote interactive)**: Authentication via Terminal Services or RDP
|
||||
* **11 (cache interactive)**: Access using the last cached credentials because it wasn't possible to contact the domain controller
|
||||
* **12 (cache remote interactive)**: Login remotely with cached credentials (a combination of 10 and 11).
|
||||
* **13 (cached unlock)**: Unlock a locked machine with cached credentials.
|
||||
|
||||
In this post you can find how to mimic all these types of login and in which of them you will be able to dump credentials from memory: [https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them](https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them)
|
||||
|
||||
The Status and sub status information of the event s can indicate more details about the causes of the event. For example take a look to the following Status and Sub Status Codes of the Event ID 4625:
|
||||
|
||||
|
|
|
@ -114,6 +114,22 @@ We just have to keep in mind that this technique can only be executed as **SYSTE
|
|||
|
||||
**You can automate this process with** [**lssasy**](https://github.com/Hackndo/lsassy)**.**
|
||||
|
||||
### **Dumping lsass with Task Manager**
|
||||
|
||||
1. Right click on the Task Bar and click on Task Manager
|
||||
2. Click on More details
|
||||
3. Search for "Local Security Authority Process" process in the Processes tab
|
||||
4. Right click on "Local Security Authority Process" process and click on "Create dump file".
|
||||
|
||||
### Dumping lsass with procdump
|
||||
|
||||
[Procdump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a Microsoft signed binary which is a part of [sysinternals](https://docs.microsoft.com/en-us/sysinternals/) suite.
|
||||
|
||||
```
|
||||
Get-Process -Name LSASS
|
||||
.\procdump.exe -ma 608 lsass.dmp
|
||||
```
|
||||
|
||||
## CrackMapExec
|
||||
|
||||
### Dump SAM hashes
|
||||
|
|
Loading…
Reference in a new issue