Windows PW

REF: PrivEscWindows-PasswordPwdump

1: C:\windows\system32\config\**SAM** (Registry: HKLM/SAM)
2: System memory

The SAM file is mounted in the registry as: HKLM/SAM
Windows locks this file, and will not release the lock unless it's shut down.
However, if you look at the SAM entry in the aforementioned registry section, you will not find the hash.
Seems more than likely that the hash, or password, will also be stored in memory. 
In fact, there are quite a few password crackers that take your password directly from memory.

Also:
In memory, '**lsass**' holds on to a plaintext copy of the password for whoever is logged in

A 'badUSB' device can grab the hash (ex: Rubber ducky, Malduino, P4wnP1)


Domain Machine:
HKEY_LOCAL_MACHINE\Security\Cache

SAM file needs both:
C:\windows\system32\config\SAM
C:\windows\system32\config\system

Registry
HKEY_LOCAL_MACHINE\Security\Cache  .. for domain credentials
HKEY_LOCAL_MACHINE\SAM             .. for local credentials

In-memory (dump with mimikatz)
However this last one isn't "stored" as in written-to-disk

PreviousUnzip Crack Next06 Linux PrivEsc

Last updated 1 year ago