There are three registry hives that we can copy if we have local admin access on the target; each will have a specific purpose when we get to dumping and cracking the hashes. Here is a brief description of each in the table below:
| Registry Hive | Description |
|---|---|
hklm\sam |
Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext. |
hklm\system |
Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database. |
hklm\security |
Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target. |
reg.exe utility.reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save
Technically we will only need hklm\sam & hklm\system, but hklm\security can also be helpful to save as it can contain hashes associated with cached domain user account credentials present on domain-joined hosts. Once the hives are saved offline, we can use various methods to transfer them to our attack host.
we can populate a text file with the NT hashes we were able to dump
sudo vim hashestocrack.txt
https://hashcat.net/wiki/doku.php?id=example_hashes
We will focus on using -m to select the hash type 1000 to crack our NT hashes (also referred to as NTLM-based hashes).