Physical attacks at the console
In this section, we will explore different types of attack that are typically performed on a system with physical access.
samdump2 and chntpw
One of the most popular ways to dump password hashes is to utilize samdump2
. This can be done by turning on the power of the acquired system and then booting it through our Kali USB stick by making the required changes in the BIOS.
- Once the system is booted through Kali, by default the local hard drive must be mounted as a media drive (assuming the media drive is not encrypted with PGP or similar), as shown in the following screenshot:
- If the drive is not mountable, the attackers can manually mount the drive by running the following commands:
mkdir /mnt/target1mount /dev/sda2 /mnt/target1
- Once the system is mounted, navigate to the mounted folder (in our case, it is
/media/root/<ID>/Windows/System32/Config
), and runsamdump2 SYSTEM SAM
, as shown in the following screenshot. TheSYSTEM
andSAM
files should display all...