Account Info


Created: 12.10.2020

Windows

There are two main places within the registry that contains that information: SAM hive for local and Microsoft accounts and Software\Microsoft\Windows NT\CurrentVersion\ProfileList for Domain Accounts.

❗ïļâ—ïļâ—ïļâ—ïļ More details see here.

To crack Windows NTLM hashes (for local accounts only), you’ll need both SYSTEM and SAM hives. SYSTEM contains an AES key 🔑 for NTLM decryption and SAM contains the encrypted hash. After the hash is decrypted, either brute-force 💊 or dictionary 📖 attack needs.

Xbox on later versions is a built-in game center. It also contains some information about the user (if he uses it for fames): C:\Users\%Username%\AppData\Local\LocalState\ModelManager\Xboxlivegamer.xml (user profile).

Also, collect DPAPI master user and system keys: https://www.youtube.com/watch?v=vA4qa0uWRHU.

\Users\%username%\
\Users\%username%\Desktop
\Users\%username%\Documents
\Users\%username%\Downloads

Password hashes

SAM hive + SYSTEM.

macOS

/Users/%username%/

Password hashes

sudo plutil -p /var/db/dslocal/nodes/Default/users/<usename>.plist

Account Info

sudo plutil -p /private/var/db/dslocal/nodes/Default/Users/<User>.plist

Contains name, profile name, password hint, account image, UID

Get uids of users (incuding services’ uids): /private/var/db/dslocal/nodes/Default/sqlindex (SQLite DB).

Login History

sudo su
cd /private/var/log/asl 
cat BB.<date>.asl

BB.date.asl - Best before.

⚠ïļ When grabbing volumes from APFS system, better acquire Recovery volume as well, since it may contain account information as well (password hints, for example).

Tools 🛠: plutil (built-in on Macs).

Also, FSEvents can give you a lot of information. Tools 🛠: FSEventsParser.

Linux

/etc/passwd and /etc/shadow.