-
Notifications
You must be signed in to change notification settings - Fork 384
registry
skelsec edited this page Apr 12, 2021
·
2 revisions
Obtains the credentials / secrets / other info from registry hive files.
The windows registry holds most valuable secrets spread in three (SYSTEM SAM SECURITY and optionally SOFTWARE) hives. The SYSTEM hive has the key to decrypt the secrets from the other hives. This means that at least the SYSTEM hive file must be supplied to get any meaningful information (bootkey). The more hive files you supply the more secrets you will be able to extract.
At least the SYSTEM hive must be supplied.
For a complete dump you will need to supply all three hives mentioned above.
If you supply the SOFTWARE hive as well you might get the default logon user name. Careful, this hive file is usually quite large and it doesn't always have the info.
None
None
-
--sam <SAM_hive_file_path>: Parses local user hashes fromSAMhive file -
--security <SECURITY_hive_file_path>: Parses DCC hashes and LSA secrets fromSECURITYhive file -
--software <SOFTWARE_hive_file_path>: Parses defult user and domainSOFTWAREhive file -
--json: Switches the output to JSON format, both in STDOUT and in FILE output modes -
-o: Write results to file, instead of printing it to STDOUT
-
pypykatz registry <SYSTEM_hive_file_path>: Prints bootkey to STDOUT -
pypykatz registry <SYSTEM_hive_file_path> --sam <SAM_hive_file_path> --security <SECURITY_hive_file_path>: Prints out the secrets from SAM and SECURITY hives -
pypykatz registry <SYSTEM_hive_file_path> --sam <SAM> --security <SECURITY> -o <output_file>: Writes all credentials to<output_file> -
pypykatz registry <SYSTEM_hive_file_path> --sam <SAM> --security <SECURITY> -o <output_file> --json: Writes all credentials to<output_file>in JSON format