Dumping the contents of the SAM database
Security Accounts Manager (SAM) is a database in the Windows operating system that contains usernames and passwords; the passwords are stored in a hashed format in a registry hive either as an LM
hash or as an NTLM
hash. This file can be found in %SystemRoot%/system32/config/SAM
and is mounted on HKLM/SAM
. In this recipe, you will learn about some of the most common ways to dump local user accounts from the SAM database.
Getting ready
We will start in a Meterperter session in the Metasploitable 3 target machine, with system privileges running.
How to do it...
- First, we will start with the classic Meterpreter
hashdump
command:
Because most post-exploitation tasks are being placed in their one post-exploitation module, let's take a look at the available options. The first module we will check is the Windows Gather Local User Account Password Hashes (Registry) post-exploitation module, which will dump the local user accounts from the SAM database using the...