Windows Hashes

Dumping SAM Files

A very common way of capturing hashed passwords on older Windows systems is to dump the Security Account Manager (SAM) file. The Security Account Manager is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores user passwords. It can be used to authenticate local and remote users on the system.

LM

Older Windows versions (pre-Windows 2003) use a very weak hashing function called LM (LanMan or LAN Manager). LM converts all characters to uppercase and then splits the password into separate strings of a maximum 7 characters before hashing them. It doesn’t use salts. LM authentication is extremely unsecure and should never be used, but chances are that you will encounter LM on legacy systems such as Windows 95, 98 and ME.

NTLM

The more recent versions of Windows (Vista and up) disable LM by default and use the more secure NTLM (NT Lan Manager). It supports all Unicode characters, is case sensitive and does not split passwords into 7-character strings. Although NTLM is an improvement on LM it still doesn’t use salted hashes which means NTLM is vulnerable to rainbow table and brute force attacks.

The SAM file cannot be accessed directly while Windows is running because it’s locked by the Windows operating system. However, there are several tools available for extracting the password hashes from memory.

Hashdump

Using Meterpreter we can issue the hashdump command

fgdump

info

pwdump

info

Windows Credentials Editor (WCE)

info

Mimikatz

info

​