How to dump the Windows SAM file while the system is running?
There is a simpler solution which doesn't need to manage shadow volumes or use external tools. You can simply copy SAM and SYSTEM with the reg
command provided by microsoft (tested on Windows 7 and Windows Server 2008):
reg save hklm\sam c:\sam
reg save hklm\system c:\system
(the last parameter is the location where you want to copy the file)
You can then extract the hashes on a Linux system with package samdump2 (available on Debian: apt-get install samdump2
):
$ samdump2 system sam
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c0e2874fb130015aec4070975e2c6071:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:d0c0896b73e0d1316aeccf93159d7ec0:::
It's not a permission issue – Windows keeps an exclusive lock on the SAM file (which, as far as I know, is standard behavior for loaded registry hives), so it is impossible for any other process to open it.
However, recent Windows versions have a feature called "Volume Shadow Copy", which is designed to create read-only snapshots of the entire volume, mostly for backups. The file locks are there to ensure data consistency, so they are unnecessary if a snapshot of the entire filesystem is made. This means that it is possible to create a snapshot of C:
, mount it, copy your SAM
file, then discard the snapshot.
How exactly to do this depends on your Windows version: XP needs an external program, Vista and 7 have vssadmin create shadow
, and Server 2008 has the diskshadow
command. The page Safely Dumping Hashes from Live Domain Controllers has more details on this process, as well as instructions and scripts.
Alternatively, there are tools such as samdump
which abuse the LSASS process from various directions in order to extract all password hashes directly from memory. They might be much faster than VSS snapshots, but have a higher risk of crashing the system.
Finally, Google brings out this snippet, whose usefulness I cannot rate having never used metasploit myself:
meterpreter> use priv
meterpreter> hashdump
Edit: I decided to edit after many years of abandonment.
The Windows SAM file is locked from copying/reading unlike /etc/shadow
on Linux systems. Instead, to get around this tools will extract hashes from memory.
There are ways to get around this that I'll cover below:
Mimikatz
Run mimikatz with sekurlsa::logonpasswords
.
fgdump
Similar functionality as mimikatz. Run it, and hashes will be dumped to local files.
hashdump
Built into meterpreter; extracts hashes from memory.
Registry
It's also possible to extract from the registry (if you have SYSTEM
access):
reg save hklm\sam %tmp%/sam.reg
andreg save hklm\system %tmp%/system.reg
- Copy the files, and then run:
samdump2 system sam
Backups
SAM file can also be stored in a backup location: C:\Windows\Repair\SAM
I should also mention that the tools will at a minimum require Administrator
privileges; and most will not get all hashes unless SYSTEM
access is attained.