net usercommand. To enumerate the SAM database, system level access is required. A number of tools can be used to retrieve the SAM file through in-memory techniques:
Notes: Rid 500 account is the local, in-built Administrator.Rid 501 is the Guest account. user accounts start with a RID of 1,000+.
Notes: Cached credentials for Windows Vista are derived using PBKDF2
Notes: The passwords extracted by this mechanism are UTF-16 encoded, which means that they are returned in plaintext. Windows 10 adds protections for LSA Secrets described in Mitigation.
procdump -ma lsass.exe lsass_dump
privilege::debugmodule to debug any of the processes that we are running or that we usually don't have access to.
pypykatzwill use this one to extract the Credentials. (more info will be referenced below).