secretsdump.py: Dumping credentials without touching disk #1698
Conversation
|
Depending on the permissions to access the remote registry, you could also try to access the data with Backup privileges. I'm working on something similar and this avoids changing permissions on these objects. |
|
@antuache This repo doesn't get the care it deserves while theporgs is very much maintained with bug fixes and PRs |
|
@byinarie is the EDIT : I've read the description of theprogs fork and better understand its purpose. |
|
@antuache |
|
Hey, can I help on anything with this PR ? I really need this to be merge for https://github.com/Pennyw0rth/NetExec and https://github.com/login-securite/DonPAPI :) |
|
I'll be working on this. In the meanwhile PR needs to get conflicts resolved @antuache |
|
Ok I'll create a separte PR with these changes. Conflicts should be related to #1719. This will be merged in the context 0.13-dev |
anadrianmanrique
added
the
waiting for response
This PR allows to remotely extract hashes from the SAM and SECURITY (LSA Secrets and cached credentials) registry hives without touching disk. There is no need to save these registry hives to disk and parse them locally.
This feature takes advantage of the WriteDACL privileges held by local administrators to provide temporary read permissions on registry hives. This work was already implemented by @jfjallid on the great tool https://github.com/jfjallid/go-secdump.
In order to use this technique, it is required to use the
-inlineflag. If a connection error occurs and the extraction is interrupted, the-restoreflag can be used to restore the initial state of the registry.Also, the
-use-ntdsflag has been added as I noticed it was trying to launch the NTDS extraction every time the script was launched.