Hash Dumping

SAM (Security Accounts Manager) is a database file stored within C:\Windows\System32\config. It is used to authenticate local and remote users and uses cryptographic measures to prevent unauthenticated users from accessing the system. On a Domain Controller, it simply stores passwords hashes in HKEY_LOCAL_MACHINE\SAM.

  • All the hashed user account passwords are stored in the SAM database

  • SAM db file cannot be copied while the O.S. is running

  • SAM db is encrypted with a SysKey

🗒️ Hashing - the process of transforming any given piece of data into another value, using a hash function to generate the new value according to a algorithm.

  • the result is called hash/hash value

Storing passwords locally is a big security risk, specially if stored unencrypted and in clear-text strings.

  • LM and NTLM are two types of hashes, utilized in versions up to Windows Server 2003

  • NTLM only is used from Windows Vista onwards

🗒️ LSA (Local Security Authority) - the central component of the Windows security subsystem, responsible for enforcing the security policy of the system, e.g. authentication, credentials verification, etc.

The Windows NT Kernel keeps the SAM database file locked.

  • An attacker utilize in-memory attack techniques and hash dumping tools to interact with the LSASS process

Elevated privileges are required for LSASS process interaction.

Password Hashes

🗒️ LM - default hashing algorithm implemented in Windows prior to NT4.0

  • outdated and weak protocol, easily crackable

  • disabled by default since Windows Vista/Server 2008

🗒️ NTLM (NTHash) - a collection of authentication protocols and the currently used algorithm for storing passwords on modern Windows systems.

  • Algorithm - the password is encrypted using the MD4 hashing algorithm and the original password is disposed of

    • No split of the hash

    • It is case sensitive

    • Allows symbols and unicode chars

    • NTLMv1, NTLMv2 - challenge response protocols used for authentication in Windows environments

  • NTLM (NT) hashes do not have password salts - can be cracked through a brute-force / dictionary attacks.

Pass-the-hash (PtH) is an exploitation technique that involves harvesting NTLM hashes and reusing them to authenticate with the target legitimately.

  • It allows legitimate access to the target system, without exploitation

  • Administrator user's NTLM hash comes useful after a service is being patched or disabled and can no longer be exploited

PreviousCredentials DumpingNextWindows hash dumping

Last updated