Extracting Windows Credentials with Pypykatz - blackgem

W E L C O M E

https://i.imgur.com/fEamA3G.png

Wednesday, June 14, 2023

Extracting Windows Credentials with Pypykatz


In this post we'll dive into the methods to dump SAM Database, decrypt it and attempt to obtain Windows Credentials. Whether you are a casual Windows user or an IT professional, gaining a better understanding of the SAM database can provide valuable insights into Windows inner workings.


What Is SAM Database?

SAM database (Security Accounts Manager database) is a crucial part of the Windows operating system. It is a registry file that stores user account information, including usernames, passwords, and user groups. The primary purpose of the SAM database is to authenticate local users when they sign in to their Windows devices.

The SAM database is located in the %SystemRoot%\system32\config folder and is usually named SAM. Due to its importance, the file is encrypted and cannot be accessed or modified directly when the operating system is running. However, administrators can interact with the SAM database using built-in tools, such as the Local Users and Groups Manager or the net command in the command prompt.

It's important to note that the SAM database is relevant for local accounts, not for domain accounts in the Active Directory environment.

Obtaining Key Files

In this post we will dump some core files that we need, to attempt to decrypt the SAM Database. 

First we need to determine Local Computer Name from the associated environment variable:

$env:computername

result: DESKTOP-PQIB8HT

now we use the result  with the WMI Win32_UserAccount class

[wmi] "Win32_UserAccount.Domain='DESKTOP-PQIB8HT',Name='Administrator'"


This will tell us what type of rid we have in our computer.

Workarounds to dump the SAM database:

With an cmd run as  administrator go to 

cd C:\Windows\System32\config\SAM

There are multiple methods to obtain the SAM database, here I will show you 3 of them.

  1. Use the Volume Shadow Copy Server to create a snapshot or "shadow volume" of the local hard drive with vssadmin
        This option is only available in servers edition

  1. Execute previous option using WMIC launched from an administrator command prompt

wmic shadowcopy call create Volume='C:\'

This will create a snapshot of the C: Drive


To verify the completion of the previous step we can run vssadmin and list the existing shadow volumes

vssadmin list shadows


Now that we can see the Shadow Copy Volume, we can copy the SAM database from it by using the source path.

Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

copy Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\Users\


We have copied it locally. Please note that this copy it's partially encrypted with RC4 or AES. The encryption keys are stored in the SYSTEM file which is in the same folder as the SAM database and it's locked by the SYSTEM account.

So we use our shadow copy to copy this file too.


  1. We can get a copy of the SAM database and SYSTEM files from the registry in
  • HKLM\sam
  • HKLM\system

This one is by far my favorite and the method I recommend.

reg save HKLM\sam C:\Users\sam


reg save HKLM\system C:\Users\system


Decryption

Let's move to the fun part. We will proceed to decrypt the SAM database. Before, it used to be two ways to do it: either with Mimikatz or with Creddump7. 

None of those have worked for me so we will use a third option.

For this we need to move the files we dumped from Windows victim machine to our Kali machine. I moved them using google drive but you can use also the method to copy through network path.


Prepare the environment and upgrade your pip version

python3.10 -m pip install --upgrade pip



And install the python crypto lybrary.


pip install crypto




The third option I mentioned is to decrypt the SAM Database using Pypykatz


Since Pypykatz will also need the SOFTWARE and SECURITY hives from the registry we go back to our Victim machine and dump those files too. (Now that you know you will get all the files at once 😊)

reg save HKLM\software C:\Users\software


reg save HKLM\security C:\Users\security



And finally we are ready to run Pypykatz to decrypt our SAM Database.

pypykatz registry --sam /home/info/Downloads/sam --security /home/info/Downloads/security --software /home/info/Downloads/software -o hashes.txt /home/info/Downloads/system



As you can see, we have successfully decrypted the SAM database and obtained the NTLM password hash for the local administrator account ... and other good stuff as well.

From here you have multiple options to get the hash value, I like using john the ripper for example.

Copy the Administrator hash into a txt. file 


And run john against that file.


Here you have it, our password is : Administrator.

I hope you enjoyed this post and you find it useful for your hacking. See you in the next post! ♥

No comments:

Post a Comment