🍩
HackBook.io
  • Pentesting Pocket Book for hackers and developers.
  • Reconnaissance
    • Internal Recon Basics
    • OSINT
      • Infrastructure
      • Recon-ng
      • Users
      • Google Dorks
    • Active Scanning
      • NMAP
        • NSE
          • reconnoitre
        • NMap Evasion
      • NC Scan
      • Finger Printing
    • Web Server OSINT
      • WhatWeb
      • Subdomains
      • Directory & File Enumeration
        • Enumeration
          • GoCutty
          • gobuster
          • Dirb
          • nikto
        • Fuzzing
        • Crawling
  • Web Application Hacking
    • Web 101
      • Clients
      • Servers
      • Encodings
    • Web Hacking Techniques
      • SOP
      • Open Redirect
      • File & Resource Attacks
        • Directory Traversal
          • Dir Traversal Fuzzer
        • LFI
        • RFI
        • Unrestricted File Uploads
      • XSS
        • DOM
        • Stored
        • Reflected
        • Blind
        • Self XSS
      • XXE
        • XXE Payloads
      • XPath
      • SSRF
      • CSRF
      • SQLi
        • SQL Basics
        • Securing SQL
        • Hacking SQL
          • sqlmap
          • In-Band
          • Error Based
          • Blind
      • Authorization
      • Session Hijacking
      • Command Injection
      • Insecure Deserialization
      • File Uploads
        • File Upload Mitigations
      • HPP
      • Click Jacking
        • Adobe SWF Investigator
      • HTTP Response Splitting
      • Flash 101
        • Flash Hacking
      • HTML5
        • WebSockets
        • CORS
          • iframe
          • Headers
    • Web Hacking Procedures
      • Captcha
      • Username Generation
      • Username Enumeration
      • Inhouse WebApps
      • SSL Cert Generation
      • CMS
        • WordPress
        • Joomla
      • Popular Exploits
        • Bludit CMS
        • ShellShock
        • WebDav
  • Weaponization
    • Buffer Overflows (BOF)
      • DSBOFG
        • Scripts
  • Initial Access
    • 😈Services
      • Finger
      • SNMP
      • LDAP
      • SMTP
      • NFS
      • RPC
        • RPCBind
      • RDP
      • SQL
        • NoSQL
      • POP3
      • Samba
      • SMB
      • SSH
      • Telnet
      • NetBios
      • VOIP/SIP
      • DNS
        • DNS Lookups
        • Zone Transfer
        • SubDomain Enums
        • dnsdumpster
    • 😈Shells
      • Powercat
      • Odd Shells
      • Troubleshoot
      • TTY/PTTY
  • Persistence
    • File Transfers
      • Py->Exe->Txt
      • Cross compile example
    • Backdoors
  • Privilege Escalation
    • Universal Escalation
    • Windows Escalation
      • Automated
      • Popular Exploits
        • ActiveXObject to Wscript RCE
        • Macros
        • Object Linking
    • Linux Escalation
      • Automated
    • Passwords
      • John
      • Medusa
      • Cewl
      • ncrack
      • Crunch
      • Hydra
      • MITM
      • Responder
        • SAM
          • pwdump and fgdump
          • Pass-the-hash
      • Crack the hash
      • NTLM
  • Network Discovery
    • Network Traffic
      • tcpdump
    • Internal Discovery
  • Collection and Staging
    • Collection
      • File types
  • Hacking Objectives
    • Non Kinetic War (Quick Guide)
  • Procedures
    • Bash Guide
    • Active Directory
    • Crypto 101
    • Forensics
  • Glossary
  • Hacking Frameworks
    • Metasploit
      • msfvenom
    • Dsnif
  • ThreatModeling
    • Threat Modeling Overview
  • Certifications
    • VMDR
      • Qualys Asset Management
      • Qualys Vulnerability Management
      • Qualys Threat Prioritization
      • Qualys Response (Patch Deployment)
    • OSCP Cheat Sheet
  • RF - Radio Frequency
    • Ham Technician
Powered by GitBook
On this page

Was this helpful?

  1. Privilege Escalation
  2. Passwords
  3. Responder

SAM

PreviousResponderNextpwdump and fgdump

Last updated 3 years ago

Was this helpful?

Summary: All windows passwords are stored in the SAM(security accounts manager) database(registry file for win 2000 and later), except for the DC config password. For the registry at HKEY_LOCAL_MACHINE\SAM the registry is not accessible when the OS is running and it also requires system privs to access. The goal is to pull these from other locations These passwords are stored in either LM(win vista and older, passwords shorter than 15 chars) or NT hashes. LM: if shorter than 14 then the password is padded with 0's and then is halved into 2 7char long halves

---SAM dumping--- Tools: Dump from memory (requires an admin account but dont need system). Dump with one of the following: -pwdump -fgdump -ophcrack -msf -l0phtCrack ---Techniques--- Remote MSF: Say we have a msf meterpreter shell and an admin or better user. We then can run: >run hashdump

Local Pwdump: Get bin file onto the computer. >PwDump.exe localhost

or with fgdump >fgdump.exe or with SAMinside (GUI app)

or with ophcrack (GUI app)

Local and system off-line: Options: Steal hash, overwrite hash, bypass login KALI CD Steal hash: bios load into kali usb or cd. Then mount the partition that windows in on. #mkdir /mnt/sda1 #mount -t ntfs /dev/sda1 #cd /mnt/sda1/WINDOWS/system32/config from here we can use tools like samdump2 or bkhive to dump the file #samdump2 SAM syskey.txt > ourhashdump.txt #cat ourhashdump.txt KALI CD change hash: not the best instructions but we can use a tool called chntpw and load the sam file to it then edit it with the tool then reinstall the file. Ophcrack CD Steal hash: bios load into ophcrack usb or cd. Then the tool will auto grab the files. We can crack from here but best to do it on our crack rig. #mkdir /mnt/sda1 #mount -t ntfs /dev/sda1 #cd /mnt/sda1/WINDOWS/system32/config from here we can use tools like samdump2 or bkhive to dump the file #samdump2 SAM syskey.txt > ourhashdump.txt #cat ourhashdump.txt Local off-line insta root: A tool called kon-boot lets you replace kernel files on the fly as linux/windows boots and will let you get straight to root without any passwords. To crack or to pass: Its normally best to crack if we can do so in a timely manner. But we can also pass the hash if we are tight on time or did not have luck the hash crack.