Security Account Manager

Adversaries may attempt to extract credential material from the Security Account Manager(SAM) database wither through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local account for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

· Pwdumpx.exe

· Gsecdump

· Mimikatz


Alternatively, the SAM can be extracted from the Registry with Reg:

· Reg save HKML\sam sam

· Reg save HKLM\system system

Creddump7 can then be used to process the SAM database locally to retrieve hashes.

Notes: RID 500 account is the local, built-in administrator. RID501 is the guest account. *user accounts start with a RID of 1,000+


In this demo will work with secretsdump and mimkatz very well working tools to achieve these goals, will also work with the Registry to obtain the hashes from them.

For example secretsdump we will attack the DC in this occasion we will use Domain Admin credentials and have it dump the hashes of the entire Domain

Above we see the technique successful but be aware that this will NOT dump local accounts only Domain Accounts.

What about mimikatz, dump the SAM and grab credentials as well. To have this attack effective we will need to Dump the SAM Database from Registry.

Once running mimkatz we will start the privilege::debug

Then elevate our privileges to system by using the token::elevate

Then finally grab the creds from the files we save from registry

Another tool I encountered was PWDUMP from BlackArchLinux this requires the same two files the SAM and SYSTEM from the Registry and will dump hashes but sure to use the correct order of SYSTEM and then SAM files.

I do encourage to try other tools to achieve this goal as well, as there is a plethora of them out there, Good Luck.

Last updated