gentilkiwi
commented
4 years ago With pleasure Michael! If you have lab SYSTEM & SAM to upload to have more test vectors, I'll try on it too :)
Closed MichaelGrafnetter closed 4 years ago
gentilkiwi
commented
4 years ago With pleasure Michael! If you have lab SYSTEM & SAM to upload to have more test vectors, I'll try on it too :)
MichaelGrafnetter
commented
4 years ago Great, thanks, Benjamin! The samdump.zip archive contains SAM+SYSTEM samples from Windows 10 1909 and Windows Server 2019 DC, together with standard::version /cab outputs (is it even legal?). Admin passwords should be Pa$$w0rd. Also included is an export from my production MS account, which contains some additional attributes not seen on local accounts (F, V and SupplementalCredentials removed), in case you are interested.
PF 2020!
MichaelGrafnetter
commented
4 years ago Great, thanks! BTW, I just noticed that the least important property of them all, Packages, is not parsed correctly by both lsadump::sam and lsadump::dcsync. Its value consists of multiple UTF16 strings separated by \0, while kprintf() only displays the first one. "It's a trap!" :wink:
Hi, you have most probably noticed that SAM "databases" in Windows 10 / Server 2016 contain a
SupplementalCredentialsvalues next toFandV. This feature has apparently been added so thatdcpromo.execan populate kerberos AES keys for the built-in Administrator account.It would therefore be nice if
lsadump::samwould show the contents of SupplementalCredentials, next to NTLM hashes.