Dumping Windows credentials
Resources:
Terminology
SAM: Database file that contains local username and passwords (like /etc/shadow)
NTDS.DIT: Database file that contains all Active Directory objects, stored on DC
DC: Domain Controller
Prerequisites
NT AUTHORITY\SYSTEM (aka Administrator) is needed to dump credentials.
Non domain-joined machine
With domain-joined machines, passwords will be saved locally in C:\Windows\System32\config\SAM
.
Returns: username:rid:lm:nt::::
Domain joined machine
With a domain joined machine (that is not a Domain Controller) we can extract local passwords from SAM and also cached passwords (Mscash2).
Returns: username:hash::
Domain Controller
Having access to a Domain Controller (DC) gives us access to NTDS.DIT. We cannot copy this file normally, as it's always in use, but we can use ntdsutil or vssadmin.
Returns: domain\username:rid:lm:nt::::
Next Steps
Last updated