impacket icon indicating copy to clipboard operation
impacket copied to clipboard

Published 20 hours ago verified publisher icon fortra

secretsdump.py: Dumping credentials without touching disk

Open antuache opened this issue 1 year ago • 7 comments

This PR allows to remotely extract hashes from the SAM and SECURITY (LSA Secrets and cached credentials) registry hives without touching disk. There is no need to save these registry hives to disk and parse them locally.

This feature takes advantage of the WriteDACL privileges held by local administrators to provide temporary read permissions on registry hives. This work was already implemented by @jfjallid on the great tool https://github.com/jfjallid/go-secdump.

In order to use this technique, it is required to use the -inline flag. If a connection error occurs and the extraction is interrupted, the -restore flag can be used to restore the initial state of the registry.

secretsdump_inline

Also, the -use-ntds flag has been added as I noticed it was trying to launch the NTDS extraction every time the script was launched.

antuache avatar Feb 09 '24 12:02 antuache

Depending on the permissions to access the remote registry, you could also try to access the data with Backup privileges. I'm working on something similar and this avoids changing permissions on these objects.

edermi avatar Feb 11 '24 20:02 edermi

@antuache Please consider submitting this PR to theporgs fork here as well https://github.com/ThePorgs/impacket

This repo doesn't get the care it deserves while theporgs is very much maintained with bug fixes and PRs

byinarie avatar Feb 17 '24 23:02 byinarie

@byinarie is the fortra/impacket repo unmaintained compared to theprogs fork? There is like ~300 commits vs ~50 "new" commits in fortra/impacket.

EDIT : I've read the description of theprogs fork and better understand its purpose.

AkechiShiro avatar Feb 18 '24 00:02 AkechiShiro

@antuache Got the following error: Modifying ACLs failed: 'RemoteOperations' object has no attribute 'prepareDumpInline'

sagiol avatar Apr 17 '24 11:04 sagiol

Hey, can I help on anything with this PR ? I really need this to be merge for https://github.com/Pennyw0rth/NetExec and https://github.com/login-securite/DonPAPI :)

zblurx avatar Aug 02 '24 06:08 zblurx

I'll be working on this. In the meanwhile PR needs to get conflicts resolved @antuache

anadrianmanrique avatar Aug 05 '24 14:08 anadrianmanrique

Ok I'll create a separte PR with these changes. Conflicts should be related to #1719. This will be merged in the context 0.13-dev

anadrianmanrique avatar Aug 14 '24 18:08 anadrianmanrique