Summary: All windows passwords are stored in the SAM(security accounts manager) database(registry file for win 2000 and later), except for the DC config password. For the registry at HKEY_LOCAL_MACHINE\SAM the registry is not accessible when the OS is running and it also requires system privs to access. The goal is to pull these from other locations These passwords are stored in either LM(win vista and older, passwords shorter than 15 chars) or NT hashes. LM: if shorter than 14 then the password is padded with 0's and then is halved into 2 7char long halves

---SAM dumping--- Tools: Dump from memory (requires an admin account but dont need system). Dump with one of the following: -pwdump -fgdump -ophcrack -msf -l0phtCrack ---Techniques--- Remote MSF: Say we have a msf meterpreter shell and an admin or better user. We then can run: >run hashdump

Local Pwdump: Get bin file onto the computer. >PwDump.exe localhost

or with fgdump >fgdump.exe or with SAMinside (GUI app)

or with ophcrack (GUI app)

Local and system off-line: Options: Steal hash, overwrite hash, bypass login KALI CD Steal hash: bios load into kali usb or cd. Then mount the partition that windows in on. #mkdir /mnt/sda1 #mount -t ntfs /dev/sda1 #cd /mnt/sda1/WINDOWS/system32/config from here we can use tools like samdump2 or bkhive to dump the file #samdump2 SAM syskey.txt > ourhashdump.txt #cat ourhashdump.txt KALI CD change hash: not the best instructions but we can use a tool called chntpw and load the sam file to it then edit it with the tool then reinstall the file. Ophcrack CD Steal hash: bios load into ophcrack usb or cd. Then the tool will auto grab the files. We can crack from here but best to do it on our crack rig. #mkdir /mnt/sda1 #mount -t ntfs /dev/sda1 #cd /mnt/sda1/WINDOWS/system32/config from here we can use tools like samdump2 or bkhive to dump the file #samdump2 SAM syskey.txt > ourhashdump.txt #cat ourhashdump.txt Local off-line insta root: A tool called kon-boot lets you replace kernel files on the fly as linux/windows boots and will let you get straight to root without any passwords. To crack or to pass: Its normally best to crack if we can do so in a timely manner. But we can also pass the hash if we are tight on time or did not have luck the hash crack.