How to get the windows hash from registry?

[rodrigo.Brasil]

I am doing a pentest exercise in a Windows Server 2016. I could elevate the privilege and become an admin (NT AUTHORITY\SYSTEM). So I could dump the entire registry with a command like this:

Code:

for %x in (HKLM HKCU HKCR HKU HKCC) do reg export %x c:\windows\temp\registry_%x.txt

As I understand, the password hash of the local users are in: [HKEY_LOCAL_MACHINE\SECURITY\SAM\*]

Where exactly is the hash and how can I input it to hashcat start to do the brute force?

I am noob... And I am angry because I don't find this answer.

[marc1n]

Local user account password hashes are stored in a local Security Account Manager (SAM) Database located in the registry. They are encrypted using the same encryption and hashing algorithms as Active Directory. The passwords in the supplementalCredentials attribute for local user accounts are also stored in the local SAM Database since Windows Server 2016.

The SAM file location path is : C:\Windows\System32\config\SAM

You can also find the same in *HKEY_LOCAL_MACHINE\SAM* in the registry editor.

https://www.youtube.com/watch?v=Um75rEBPjMo

[rodrigo.Brasil]

You can also find the same in *HKEY_LOCAL_MACHINE\SAM* in the registry editor.

https://www.youtube.com/watch?v=Um75rEBPjMo

Thanks for the answer. This is the path I am following. The problem is that I have the registry in text format, like this:

Code:

[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001A3]
"F"=hex:03,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
.......
"V"=hex:00,00,00,00,e4,00,00,00,03,00,01,00,e1,00,00,00,0a,00,00,00,00,00,00,\
  00,f4,00,00,00,00,00,00,00,00,00,00,00,f4,00,00,00,70,00,00,00,00,00,00,00,\
........

I am reading the code of the creddump7 to understand how it get the hash. It is not simple as the linux  Is there a program that get the hash from the reg export command?

[marc1n]

You can also find the same in *HKEY_LOCAL_MACHINE\SAM* in the registry editor.

https://www.youtube.com/watch?v=Um75rEBPjMo

Thanks for the answer. This is the path I am following. The problem is that I have the registry in text format, like this:

Code:

[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001A3]
"F"=hex:03,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
.......
"V"=hex:00,00,00,00,e4,00,00,00,03,00,01,00,e1,00,00,00,0a,00,00,00,00,00,00,\
  00,f4,00,00,00,00,00,00,00,00,00,00,00,f4,00,00,00,70,00,00,00,00,00,00,00,\
........

I am reading the code of the creddump7 to understand how it get the hash. It is not simple as the linux  Is there a program that get the hash from the reg export command?

https://github.com/CiscoCXSecurity/creddump7

[rodrigo.Brasil]

https://github.com/CiscoCXSecurity/creddump7

Thanks for your time, but you don't understand. This program CAN get the hash from the registry, but ONLY if it in original format (the binary). With the reg export command I get the same data but in a text way. It shows the binary content, but with hex value in text format. 

The creddump7 only work with the binary format. (Or am I  wrong?)

Anyway, because you confirm this data was in supplementalCredentials attribute, I thought I was in a correct path and could get it myself reading it's format. This is not easy as I thought, but I will get it.

[rodrigo.Brasil]

ARRRRgggg.....

Get the hash manualy is extreme difficult! This is not like /etc/shadow in linux... But, why no program have this? Well, because I did a stupid thing. 

This command worked

Code:

reg export HKLM c:\windows\temp\registry.txt

But, trying to save the binary format like this:

Code:

reg save HKLM c:\windows\temp\registry.txt

I get the error messagem:

ERROR: Access denied.

I thought it was impossible to do in this way. But the problem is not the security, is the way I need to do the command:

Code:

reg save HKLM\sam c:\windows\temp\registry.txt

If someone read this... You are doing it wrong! Don't be stupid like me