This command came in very handy on a recent pentest. Essentially this allows us to dump out the SAM and SYSTEM files on a compromised host, whilst also helping avoid A/V. It should be noted that this is a post exploitation task and assumes you have SYSTEM access to the host/or are using a privileged hash to authenticate from a remote system.
If you wish to perform this attack remotely you’ll need the relevant hash and wce to perform the following command:
wce.exe -s administrator:500:LMHASH:NTHASH -c cmd.exe
Then in the spawned window you can use the following:
PsExec.exe \%VICTIM_IP% reg save hklmsystem %LOCATION% & PsExec.exe \%VICTIM_IP% reg save hklmsam %LOCATION%
If you have local access you can obviously drop the wce and psexec sections.
If you have any issues accessing ADMIN$ etc you can always use the reg hack as described in a previous post.
Enjoy!