Credentials dumping
Manual query registry keys
Windows Local credentials hashes - SAM, SECURITY, SYSTEM
Note: Needs to be Local Admin on the target system to get able to dump the registery keys.
Then, use samdump2 or impacket to extract the hashes
samdump2
Extracting local hashes. System and SAM files have been previously found on the Windows target system.
Mimikatz
Note: Need to have a Local Admin account on the target system.
Mimikatz is very likely to be detected by AV and others protection measures. Using C2 can help obfuscate mimikatz.
Dump SAM credentials in a file named hash.txt
Dump credentials in memory (logged in users)
Dumping credentials from LSA (Local Security Authority)
Impacket - secretsdump.py
Will dump all the hashes from the SAM remotely
Information
LM:NT
can have null part.
Null LM part:
Last updated