Windows Local Password Attacks
Credential Storage Mechanisms
Security Account Manager (SAM) Database
Purpose: Stores local account password hashes on standalone Windows systems
Location: Registry hives:
hklm\sam,hklm\system,hklm\securityScope: Local user accounts on individual Windows machines
Functionality:
Stores password hashes for local user accounts
Allows offline extraction and cracking of password hashes
Primary credential store for non-domain-joined computers
Local Security Authority Subsystem Service (LSASS)
Purpose: Central credential management process in Windows
Location:
lsass.exein Windows system processesFunctionality:
Caches credentials locally in memory
Creates and manages access tokens
Handles authentication processes
Stores credentials for:
Currently logged-in users
Cached domain credentials
Service account credentials
Security Implications:
Primary target for credential dumping attacks
Stores credentials in memory in various formats
Can retain credentials even after user logout
NT Directory Services (NTDS.dit)
Purpose: Primary database for Active Directory domain controllers
Location:
%SystemRoot%\NTDS\NTDS.ditScope: Enterprise-wide credential storage in Windows domain environments
Functionality:
Stores user account information for entire Windows domain
Contains:
User account credentials
Group Policy information
Domain controller configuration
Replication metadata
Centralized authentication mechanism for domain-joined computers
Enables domain-wide login and access control
Key Characteristics:
Encrypted at rest
Requires specific extraction techniques
Contains more comprehensive user information compared to SAM database
SAM Database Attack Methodology
Registry Hive Extraction
Requires Administrative Privileges
Extracts critical registry hives containing password hashes
Command to Save Hives:
Transferring Hives to Attack Host
Set Up SMB Server:
Move Hive Files:
Hash Extraction with Impacket
Uses Impacket's
secretsdump.pyto extract password hashes
LSASS Memory Dumping Methods
Method 1: Memory Dump Creation with Task Manager (GUI)
Task Manager Method (GUI)
Steps:
Open Task Manager.
Go to the Processes tab.
Find and right-click
lsass.exe.Select Create dump file.
File Location:
C:\Users\<loggedonuser>\AppData\Local\Temp\lsass.DMPTransfer: Use file transfer methods (e.g., discussed in Attacking SAM).
Method 2: Memory Dump Creation with Rundll32.exe & Comsvcs.dll (CLI)
Retrieve
lsass.exePID with :Command Prompt:
PowerShell:
Use
rundll32.exewithcomsvcs.dllto create memory dump
Note:
Flagged by most modern AV tools.
AV bypass techniques may be required.
Credential Extraction
Uses Pypykatz to parse and extract credentials from memory dump
Active Directory (NTDS.dit) Attacks
Dictionary Attack
Attempts authentication using a list of potential passwords
NTDS.dit Capture Methods
Volume Shadow Copy:
CrackMapExec Method:
Cracking Hashes with Hashcat
Prepare Hash File (hashestocrack.txt):
Crack Hashes:
Credential Hunting Commands
Lazagne Credential Extraction
Comprehensive tool for extracting credentials from various applications
Findstr Credential Search
Searches files for potential credential-related strings
Key Terms for Credential Discovery
Generic:
password,passphrase,keys,username,creds,users,pwd,login,credentialsApplication-specific:
configuration,dbcredential,dbpassword,passkeys,passphrases
Remote Authentication Attacks
CrackMapExec Remote Attacks
Dump LSA Secrets:
Dump SAM Remotely:
Dump NTDS Remotely:
Post-Compromise Enumeration
Local Group Membership
User Privileges
Remote Shell Access
Key Considerations
Requires administrative or elevated privileges
Most techniques are detectable by modern antivirus
Potential to trigger security alerts
Ethical use limited to authorized penetration testing
Defensive Recommendations
Implement strong password policies
Use multi-factor authentication
Regularly update and patch systems
Monitor and log authentication events