Skip to content

Dumping Passwords

Dumping Passwords

http://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html

Physical access

  • bkhive - dumps the syskey bootkey from a Windows system hive.
  • samdump2 - dumps Windows 2k/NT/XP/Vista password hashes.

SAM Registry file

Contains LM/NTLM hashes of local users

Dump SAM from unencrypted Hard Drive:

mkdir -p /mnt/sda1
mount /dev/sda1 /mnt/sda1
bkhive /mnt/sda1/Windows/System32/config/SYSTEM /tmp/saved-syskey.txt
samdump2 /mnt/sda1/Windows/System32/config/SAM /tmp/saved-syskey.txt > /tmp/hashes.txt

SECURITY Registry File

Contains cached credentials, LSA Secrets (account passwords for services, password used to logon to Windows if auto-logon is enabled)

NTDS.dit file

Contains hashes of domain accounts, Domain Backup Key

SYSTEM registry hive/file:

Contains the SysKey, that need to decrypt SAM/LSA Secrets/Cached credentials/NTDS.dit

Bypass login prompt

  • BootRoot loads backdoor on bootup to bypass login.
  • SysRQ2 is a bootable CD image that allows a user to open a fully privileged (SYSTEM) command prompt on Windows 2000, Windows XP, and Windows Server 2003 systems by pressing Ctrl+Shift+SysRq at any time after startup.
  • Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel and Windows kernel on the fly (while booting).

Password Reset

Alternatively you can boot the machine with the bootdisk live CD or USB stick and use the chntpw utility to reset any Windows local user's credentials.

LASS Memory

Process is usually data protected by LsaProtectMemory and can be unprotected by LsaUnprotectMemory.

The lass.exe process includes
- clear-text passwords of logged on users
- Kerberos tickets,
- Kerberos encryption keys
- SmartCard/Token PIN codes
- LM/NTLM hashes
- DPAPI Domain Backup Key
- Domain Trust Auth Information
- cached DPAPI MasterKeys
- cached SysKey (need to decrypt SAM/LSA Secrets/Cached credentials/NTDS.dit),
- clear-text passwords of accounts, stored in Credential Manager

Mimikatz

Enable MultiRDP:

mimikatzs ts::multirdp

DRSUAPI grabbing of hashes:

mimikatzs lsadump::dcsync /all /csv

From Memory

Look for the hibernation file, ntds.dit file, shadow copy files

Troubleshooting

HANDLE Error:
1. Actually RDP into the box and run mimikatz with privilege::debug
2. Then LSASS is running as a Protected Process (Server 2012 R2 and newer)
- Load mimidrv.sys (May crash the system)
- Patch the kernel so PsSetCreateProcessNotifyRoutineEx callback is not run and AV is not notified that a new process has been created.
3. https://zerosum0x0.blogspot.com/2020/08/sassykitdi-kernel-mode-tcp-sockets.html

When on windows 10 use Internal Monologue to get NTLM hashes from a local NTLM authentication.