Thursday, 13 February 2014

SAM,SYSTEM, & LSA Secrets Dumping using Reg Save Command

When you get access to Desktop or Server, through some vulnerability, first thing we are interested in is get password hashes and try to get as many passwords in clear text as possible, which will help us penetrate deeper into the network.

In one of the scenario, once we get command level access to server, we can actually dump SAM & SYSTEM files which can be used to further extract hashes out of it.

SAM + SYSTEM ==> Windows Password Hash ==> Crack / Rainbow table to get clear text password

Going one step ahead, we can even dump LSA Secrets using which you can extract usernames & passwords where your machine connected to previously.

Ex. Lets say you previously connected to remote machine share with X username Y password , probably you will get these credentials by extracting contents from:  HKEY_LOCAL_MACHINE\Security\Policy\Secrets

With the help of handy little tool from Nirsoft :

We can effectively dump SAM + SECURITY files with the help of "reg" command
( One of my friend pointed me to this)

Exported SAM, SYSTEM, & LSA Secrets

Extracting Contents of LSA Secrets (Nirsoft Utility)

Commands :

  1. reg save HKLM\SAM c:\SAM
  2. reg save HKLM\SYSTEM c:\SYSTEM
  3. reg save HKEY_LOCAL_MACHINE\Security\Policy\Secrets c:\lsa

Now we have SAM + SYSTEM Files which can be used to extract Windows Passwords Hashes
& We have credentials dumped through LSA Secrets :)

Hope this is helpful :)

No comments:

Post a Comment