There are three registry hives that we can copy if we have local admin access on the target; each will have a specific purpose when we get to dumping and cracking the hashes. Here is a brief description of each in the table below:
| Registry Hive | Description |
|---|---|
hklm\\sam |
Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext. |
hklm\\system |
Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database. |
hklm\\security |
Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target. |
reg.exe utility.reg.exe save hklm\\sam C:\\sam.save
reg.exe save hklm\\system C:\\system.save
reg.exe save hklm\\security C:\\security.save
Technically we will only need hklm\\sam & hklm\\system, but hklm\\security can also be helpful to save as it can contain hashes associated with cached domain user account credentials present on domain-joined hosts. Once the hives are saved offline, we can use various methods to transfer them to our attack host.
we can populate a text file with the NT hashes we were able to dump
sudo vim hashestocrack.txt
https://hashcat.net/wiki/doku.php?id=example_hashes
We will focus on using -m to select the hash type 1000 to crack our NT hashes (also referred to as NTLM-based hashes).