Credential and Hash Harvesting
To dump hashes, go to [beacon] -> Access -> Dump Hashes. You can also use the hashdump [pid] [x86|x64] command from the Beacon console to inject the hashdump tool into the specified process. Use hashdump (without [pid] and [arch] arguments) to spawn a temporary process and inject the hashdump tool into it. These commands will spawn a job that injects into LSASS and dumps the password hashes for local users on the current system. This command requires administrator privileges. If injecting into a pid that process requires administrator privileges.
Use logonpasswords [pid] [arch] to inject into the specified process to dump plaintext credentials and NTLM hashes. Use logonpasswords (without [pid] and [arch] arguments) to spawn a temporary process to dump plaintext credentials and NTLM hashes. This command uses mimikatz and requires administrator privileges.
Use dcsync [pid] [arch] [DOMAIN.fqdn] <DOMAIN\user> to inject into the specified process to extract the NTLM password hashes. Use dcsync [DOMAIN.fqdn] <DOMAIN\user> to spawn a temporary process to extract the NTLM password hashes. This command uses mimikatz to extract the NTLM password hash for domain users from the domain controller. Specify a user to get their hash only. This command requires a domain administrator trust relationship.
Use chromedump [pid] [arch] to inject into the specified process to recover credential material from Google Chrome. Use chromedump (without [pid] and [arch] arguments) to spawn a temporary process to recover credential material from Google Chrome. This command will use Mimikatz to recover the credential material and should be run under a user context.
Credentials dumped with the above commands are collected by Cobalt Strike and stored in the credentials data model. Go to View -> Credentials to pull up the credentials on the current team server.