Sam and System Registry Keys

In the Windows operating system, passwords are stored in SAM, a local database in the operating system.
The file is in the following path:
C: \Windows\system32\config\SAM
When the operating system is active, it maps the file into the Registry in the path:
HKLM/SAM

Export SAM / SYSTEM files

The machines we will use:
Windows Server 2012 and Windows 10

Open the PowerShell in Windows 10 and type the following commands:
powershell -exec bypass
reg save HKLM\SYSTEM system.hiv
reg save HKLM\SAM SAM.hiv

We can find those files in the path:
C:\Windows\System32
Now, let’s move those files to our Desktop.

Mimikatz

Mimikatz is the world’s leading software for manipulating users and passwords. (For more information about this tool, click here )
We will download the “Mimikatz trunk” from github at the link:
https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210810-2/mimikatz_trunk.zip

[!] CLARIFICATION [!]

It is not recommended to use Mimikatz in infrastructure testing because It is a known software, and known antivirus programs, like Windows Defender, can read the stamp and thus delete it.
Another reason that is not recommended is that we can be caught in the middle of the test. If, by chance, an antivirus team does not notice that a hacker is using their positions in Mimikatz, it is very SERIOUS and put in the report.

What Can We Do Now?

We will take the two files that we downloaded (SAM.hiv, SYSTEM.hiv) and transfer them to our personal position so that we can crack the hashes.

After downloading the tool, we will open a folder on the Desktop and move the tool to it. We will then go into the x64 folder and open the cmd prompt from there.
*Pay Attention*

In order to perform the manipulations on the files, we will move them to the Mimikatz folder, and we will be able to run the commands.
After transferring the files, we will exit and enter the cmd again.
To load the tool, we type the command:
Mimikatz.exe

Dump Execution

lsadump::sam /system:system.hiv /sam:sam.hiv

As we can see, we have removed all the hashes in the position and everyone who has ever been connected to it.
We can see the Administrator, Guest, and DefaultAccount that they always have.
And you can see that we got the pc2’s hash.

John The Ripper

Now, we’ll use John the Ripper to crack the pile.
The demo will be done on Windows and not on Kali Linux.
Download WinRar to position.
Download John the Ripper from here:

https://www.openwall.com/john/

and download the rockyou.txt file:

https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

We will export the two files to the Desktop.
We will extract the rockyou file and paste the file into john > run.
We open a new text file and call it “crackit.txt,” and we paste all the output we got from Mimikatz into it.

Basically, we will copy the only hash we have (in a real organization, we would get more hashes of users), and the only user is PC2.
We will perform Ctrl + A + delete what we pasted from Mimikatz and paste only the hash as follows:

Save it.

We will go into powershell and navigate ourselves to john > run and run the tool by command:
.\john

As we can see, the tool works properly.
Now, let’s run the attack by command:
.\john –format=NT [hash’s file] –wordlist=[wordlist path]

This brute force tool is very comfortable and fast!
Less than a second the tool cracked the password which is Aa123456!

That’s it for this article!

I hope you find this article useful!

Keep Posted with the Latest Research Articles