Extracting Windows Credentials with Pypykatz - blackgem

W E L C O M E

https://i.imgur.com/fEamA3G.png

    • Wednesday, June 14, 2023

    Home Unlabelled Extracting Windows Credentials with Pypykatz

    Extracting Windows Credentials with Pypykatz


    In this post we'll dive into the methods to dump SAM Database, decrypt it and attempt to obtain Windows Credentials. Whether you are a casual Windows user or an IT professional, gaining a better understanding of the SAM database can provide valuable insights into Windows inner workings.


    What Is SAM Database?

    SAM database (Security Accounts Manager database) is a crucial part of the Windows operating system. It is a registry file that stores user account information, including usernames, passwords, and user groups. The primary purpose of the SAM database is to authenticate local users when they sign in to their Windows devices.

    The SAM database is located in the %SystemRoot%\system32\config folder and is usually named SAM. Due to its importance, the file is encrypted and cannot be accessed or modified directly when the operating system is running. However, administrators can interact with the SAM database using built-in tools, such as the Local Users and Groups Manager or the net command in the command prompt.

    It's important to note that the SAM database is relevant for local accounts, not for domain accounts in the Active Directory environment.

    Obtaining Key Files

    In this post we will dump some core files that we need, to attempt to decrypt the SAM Database. 

    First we need to determine Local Computer Name from the associated environment variable:

    $env:computername

    result: DESKTOP-PQIB8HT

    now we use the result  with the WMI Win32_UserAccount class

    [wmi] "Win32_UserAccount.Domain='DESKTOP-PQIB8HT',Name='Administrator'"


    This will tell us what type of rid we have in our computer.

    Workarounds to dump the SAM database:

    With an cmd run as  administrator go to 

    cd C:\Windows\System32\config\SAM

    There are multiple methods to obtain the SAM database, here I will show you 3 of them.

    1. Use the Volume Shadow Copy Server to create a snapshot or "shadow volume" of the local hard drive with vssadmin
            This option is only available in servers edition

    1. Execute previous option using WMIC launched from an administrator command prompt

    wmic shadowcopy call create Volume='C:\'

    This will create a snapshot of the C: Drive


    To verify the completion of the previous step we can run vssadmin and list the existing shadow volumes

    vssadmin list shadows


    Now that we can see the Shadow Copy Volume, we can copy the SAM database from it by using the source path.

    Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

    copy Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\Users\


    We have copied it locally. Please note that this copy it's partially encrypted with RC4 or AES. The encryption keys are stored in the SYSTEM file which is in the same folder as the SAM database and it's locked by the SYSTEM account.

    So we use our shadow copy to copy this file too.


    1. We can get a copy of the SAM database and SYSTEM files from the registry in
    • HKLM\sam
    • HKLM\system

    This one is by far my favorite and the method I recommend.

    reg save HKLM\sam C:\Users\sam


    reg save HKLM\system C:\Users\system


    Decryption

    Let's move to the fun part. We will proceed to decrypt the SAM database. Before, it used to be two ways to do it: either with Mimikatz or with Creddump7. 

    None of those have worked for me so we will use a third option.

    For this we need to move the files we dumped from Windows victim machine to our Kali machine. I moved them using google drive but you can use also the method to copy through network path.


    Prepare the environment and upgrade your pip version

    python3.10 -m pip install --upgrade pip



    And install the python crypto lybrary.


    pip install crypto




    The third option I mentioned is to decrypt the SAM Database using Pypykatz


    Since Pypykatz will also need the SOFTWARE and SECURITY hives from the registry we go back to our Victim machine and dump those files too. (Now that you know you will get all the files at once 😊)

    reg save HKLM\software C:\Users\software


    reg save HKLM\security C:\Users\security



    And finally we are ready to run Pypykatz to decrypt our SAM Database.

    pypykatz registry --sam /home/info/Downloads/sam --security /home/info/Downloads/security --software /home/info/Downloads/software -o hashes.txt /home/info/Downloads/system



    As you can see, we have successfully decrypted the SAM database and obtained the NTLM password hash for the local administrator account ... and other good stuff as well.

    From here you have multiple options to get the hash value, I like using john the ripper for example.

    Copy the Administrator hash into a txt. file 


    And run john against that file.


    Here you have it, our password is : Administrator.

    I hope you enjoyed this post and you find it useful for your hacking. See you in the next post! ♥

    Share This
    Author Image

    About blackgem

    by blackgem at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)

    About blackgem

    blackgem offensive / defensive security specialist looking to give back to the community by posting some of the experiences, how to's, tutorials, etc. Passionate about legacy, current and emerging technologies.