Credential Dumping

Windows Password Hashes

Windows stores user account passwords in a special database called the Security Accounts Manager (SAM). However, instead of saving passwords directly, it converts them into hashes using a mathematical process called hashing. Hashing transforms data into a unique fixed-length value using an algorithm, and the result is called a hash or hash value.

For authentication, Windows relies on the Local Security Authority (LSA), which verifies user credentials against stored hashes.

Older Windows versions (up to Windows Server 2003) used two types of password hashes: LM (LAN Manager) and NTLM (NT LAN Manager). However, due to security weaknesses, LM hashing was disabled starting from Windows Vista, and only NTLM hashing has been used since then.

SAM Database

The Security Account Manager (SAM) is a database in Windows that manages user accounts and passwords. Instead of storing plain passwords, Windows hashes them for security.

The SAM database file is locked while the system is running, meaning it cannot be copied directly. Because of this, attackers often use in-memory techniques to extract password hashes from the LSASS (Local Security Authority Subsystem Service) process instead.

To improve security, modern Windows versions encrypt the SAM database using a syskey. However, accessing LSASS and extracting hashes requires administrative privileges.

LM (LanMan)

LAN Manager (LM) hashing was the default password hashing algorithm in Windows before NT4.0. It converts user passwords into hashes using a simple process:

• The password is split into two chunks of seven characters each.

• All letters are converted to uppercase, reducing complexity.

• Each chunk is hashed separately using the DES (Data Encryption Standard) algorithm.

LM hashing is considered weak and outdated because it does not use salting, making it vulnerable to brute-force and rainbow table attacks. This is why modern Windows versions have disabled LM hashing by default.

NTLM (NTHash)

NTLM (NT LAN Manager) is a set of authentication protocols used in Windows to verify user identities. When a user logs in, their password is hashed and compared for authentication.

From Windows Vista onwards, LM hashing is disabled, and NTLM hashing is used instead. When a user account is created, the password is encrypted using the MD4 hashing algorithm, and the original password is discarded.

NTLM improves upon LM hashing by:

• Not splitting passwords into chunks, making them harder to crack.

• Being case-sensitive, increasing complexity.

• Allowing symbols and Unicode characters, strengthening security.

While NTLM is an improvement over LM, it is still vulnerable to modern password attacks, leading to the adoption of stronger authentication methods like Kerberos.