secretsdump.py
Performs various techniques to dump hashes from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp dir) and read the rest of the data from there.
https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
Retrieving Hashes using Secretsdump.py
Why do we care about a virtual hard drive (especially Windows)? If we can locate a backup of a live machine, we can access the C:\Windows\System32\Config
directory and pull down the SAM
, SECURITY
and SYSTEM
registry hives. We can then use a tool such as secretsdump to extract the password hashes for local users.