Account Info


Created: 12.10.2020

Windows

There are two main places within the registry that contains that information: SAM hive for local and Microsoft accounts and Software\Microsoft\Windows NT\CurrentVersion\ProfileList for Domain Accounts.

❗️❗️❗️❗️ More details see here.

To crack Windows NTLM hashes (for local accounts only), you’ll need both SYSTEM and SAM hives. SYSTEM contains an AES key πŸ”‘ for NTLM decryption and SAM contains the encrypted hash. After the hash is decrypted, either brute-force πŸ’ͺ or dictionary πŸ“– attack needs.

Xbox on later versions is a built-in game center. It also contains some information about the user (if he uses it for fames): C:\Users\%Username%\AppData\Local\LocalState\ModelManager\Xboxlivegamer.xml (user profile).

Also, collect DPAPI master user and system keys: https://www.youtube.com/watch?v=vA4qa0uWRHU.

\Users\%username%\
\Users\%username%\Desktop
\Users\%username%\Documents
\Users\%username%\Downloads

Password hashes

SAM hive + SYSTEM.

macOS

/Users/%username%/

Password hashes

sudo plutil -p /var/db/dslocal/nodes/Default/users/<usename>.plist

Account Info

sudo plutil -p /private/var/db/dslocal/nodes/Default/Users/<User>.plist

Contains name, profile name, password hint, account image, UID

Get uids of users (incuding services’ uids): /private/var/db/dslocal/nodes/Default/sqlindex (SQLite DB).

Login History

sudo su
cd /private/var/log/asl 
cat BB.<date>.asl

BB.date.asl - Best before.

⚠️ When grabbing volumes from APFS system, better acquire Recovery volume as well, since it may contain account information as well (password hints, for example).

Tools πŸ› : plutil (built-in on Macs).

Also, FSEvents can give you a lot of information. Tools πŸ› : FSEventsParser.

Linux

/etc/passwd and /etc/shadow.