EoP - Looting for passwords
1. Accessing Password Hashes
1.1 Security Account Manager (SAM) and SYSTEM Files
The SAM file contains hashed passwords for user accounts, typically stored as LM or NTLM hashes.
Locations:
%SystemRoot%\System32\config\SAM%SystemRoot%\repair\SAM%SystemRoot%\System32\config\RegBack\SAM
1.2 Extracting Hashes
Using pwdump:
pwdump SYSTEM SAM > /root/sam.txtUsing samdump2:
samdump2 SYSTEM SAM -o sam.txt1.3 Cracking Hashes
John the Ripper:
john --format=NT /root/sam.txtHashcat:
2. Exploiting Vulnerabilities
2.1 HiveNightmare (CVE-2021-36934)
This vulnerability allows non-administrative users to access sensitive registry hives.
Check for Vulnerability:
Ensure BUILTIN\Users does not have read access.
Exploitation Steps:
Request shadow copies:
Extract hives using Mimikatz:
3. LAPS (Local Administrator Password Solution) Settings
Extract LAPS Settings
Command:
Key Values to Look For:
AdmPwdEnabled: LAPS enabled status.
AdminAccountName: Name of the administrator account.
PasswordComplexity: Password complexity requirements.
PasswordLength: Required password length.
PwdExpirationProtectionEnabled: Expiration protection status.
4. Searching for Passwords in Files and Shares
4.1 Local File Search
Commands:
4.2 Searching in Remote Locations
SharePoint: Use SnaffPoint.
SMB Shares: Use Snaffler for automated searches.
5. Extracting Secrets with Mimikatz
Commands:
6. Finding Credentials in Configuration Files
6.1 Unattend.xml
Locations:
C:\unattend.xmlC:\Windows\Panther\Unattend.xml
Decode Base64 Passwords:
Example Content:
7. IIS Web Config
Command:
8. Additional Sources of Passwords
8.1 Wireless Passwords
Commands:
8.2 Sticky Notes
Extract passwords from Sticky Notes SQLite database:
8.3 PowerShell History
Command:
8.4 Registry Searches
Commands:
Last updated