So you’ve compromised your target and got SYSTEM. The next logical step is to exfiltrate all of the valuable information you can get off of that system. This involves dumping credentials, which might be a little tricky in Windows environments. However, this is paramount when tackling a computer that is part of an Active Directory domain. This post will guide you through the process.
We should exfiltrate a few specific registry hives for some hash cracking on our attacker box: SAM, SECURITY, SYSTEM
reg save HKLM\SAM c:\SAM reg save HKLM\SECURITY c:\SECURITY reg save HKLM\SYSTEM c:\SYSTEM
We can use a nifty Python script called secretsdump in Impacket to dump local account password hashes and cached credentials
Cracking local hashes from SAM
Before we can actually get to cracking the hashes, we need to first extract them. There are a few ways to extract hashes from a hive. I’m going to use the creddump suite of tools which are bundled with Kali. Creddump can be downloaded here: https://github.com/moyix/creddump
python pwdump.py SYSTEM SAM > SAM.hash
Once we have the passwords, we can crack them with John the Ripper. If your hashes are in LM format, make sure to specify that using –format=LM.
sudo john --wordlist=/usr/share/wordlists/rockyou.txt SAM.hash --format=NT
Assuming the passwords aren’t well secured, we should be able to crack them. If not, we can use PassTheHash to abuse the hashes anyway.
We can still use the hashes even if they are uncrackable (if the passwords are secure). We can use the pass the hash technique to log in to those accounts on other computers in the same domain