Overview

So you’ve compromised your target and got SYSTEM. The next logical step is to exfiltrate all of the valuable information you can get off of that system. This involves dumping credentials, which might be a little tricky in Windows environments. However, this is paramount when tackling a computer that is part of an Active Directory domain. This post will guide you through the process.

Registry Hives

We should exfiltrate a few specific registry hives for some hash cracking on our attacker box: SAM, SECURITY, SYSTEM

reg save HKLM\SAM c:\SAM
reg save HKLM\SECURITY c:\SECURITY
reg save HKLM\SYSTEM c:\SYSTEM

secretsdump

We can use a nifty Python script called secretsdump in Impacket to dump local account password hashes and cached credentials

Cracking local hashes from SAM

Before we can actually get to cracking the hashes, we need to first extract them. There are a few ways to extract hashes from a hive. I’m going to use the creddump suite of tools which are bundled with Kali. Creddump can be downloaded here: https://github.com/moyix/creddump

python pwdump.py SYSTEM SAM > SAM.hash

Once we have the passwords, we can crack them with John the Ripper. If your hashes are in LM format, make sure to specify that using –format=LM.

sudo john --wordlist=/usr/share/wordlists/rockyou.txt SAM.hash --format=NT

Assuming the passwords aren’t well secured, we should be able to crack them. If not, we can use PassTheHash to abuse the hashes anyway.

Uncrackable hashes

We can still use the hashes even if they are uncrackable (if the passwords are secure). We can use the pass the hash technique to log in to those accounts on other computers in the same domain