Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page

Was this helpful?

  1. 05 Passwords & Ciphers

Windows PW

PreviousUnzip CrackNext06 Linux PrivEsc

Last updated 2 years ago

Was this helpful?

REF:

1: C:\windows\system32\config\**SAM** (Registry: HKLM/SAM)
2: System memory

The SAM file is mounted in the registry as: HKLM/SAM
Windows locks this file, and will not release the lock unless it's shut down.
However, if you look at the SAM entry in the aforementioned registry section, you will not find the hash.
Seems more than likely that the hash, or password, will also be stored in memory. 
In fact, there are quite a few password crackers that take your password directly from memory.

Also:
In memory, '**lsass**' holds on to a plaintext copy of the password for whoever is logged in

A 'badUSB' device can grab the hash (ex: Rubber ducky, Malduino, P4wnP1)


Domain Machine:
HKEY_LOCAL_MACHINE\Security\Cache

SAM file needs both:
C:\windows\system32\config\SAM
C:\windows\system32\config\system

Registry
HKEY_LOCAL_MACHINE\Security\Cache  .. for domain credentials
HKEY_LOCAL_MACHINE\SAM             .. for local credentials

In-memory (dump with mimikatz)
However this last one isn't "stored" as in written-to-disk
PrivEscWindows-PasswordPwdump