Dark Arts
  • index
  • BUY ME A BOOK
  • 🪄Dark Magic
    • Pentesting
      • Industry Methodologies
    • Scopes of Testing
    • Reconnaissance
      • Passive
        • WHOIS
        • DNS
          • nslookup
          • dig
        • WAF
        • Subdomain
        • Google Dork
        • Misc. Techniques
        • Leaked Passwords
      • Active
        • Browser & Plugins
        • ping & traceroute
        • fping
        • telnet & netcat
        • DNS
          • Zone Transfer
          • DNS Amplification DDoS Attack Breakdown
        • Misc. Techniques
    • Vulnerability Assessment
    • Attack Types
  • 🕷️Aragoogs Nest
    • Web Application Overview & Security
      • Security Testing
      • Common Threats & Risks
    • Web Application Architecture
      • Technologies
    • HTTP/S
      • Message
      • Request
      • Response
        • Status Code
    • Crawling/Spidering
  • 🧪Potions
    • Web Browsers
    • Computer Networking
      • Network Protocol
      • Packets
      • OSI Layer
        • Layer 3: Network
        • Layer 4: Transport
      • DNS
        • Primary-Secondary
        • Local Name Resolution
        • Domain Hierarchy
        • FQDN
        • Lookups
        • DNS Resolution
        • DNS Records
        • Security: Attack-Defense (Default)
  • 🎆Spells
    • 📜Linux Scroll
    • 📜WebShell Scroll
    • git
      • Attacks + Vulnerabilities
  • 🖼️Flaws w/ Magical Frameworks
    • Windows
      • In a Nutshell
      • CVE-2019-0708: BlueKeep
      • CVE-2017-0144: EternalBlue: MS17-010
      • Attacking Services
        • MS IIS - WebDAV
        • SMB
        • HTTP File Server (HFS)
        • Apache Tomcat Web Server
        • RDP
        • WinRM
      • File System Vulnerabilities
      • Credential Dumping
        • Password Search in Windows Configuration Files
        • Mimikatz
        • Pass-the-Hash Attack
    • Linux
      • In a Nutshell
      • CVE-2014-6271: Shellshock
      • Attacking Services
        • FTP
        • SSH
        • SAMBA
        • SMTP
        • RSYNC
      • Dumping Hashes
  • 🌼Marauder's Boost
    • Privilege Escalation
    • Windows PrivEsc
      • Windows Kernel Exploit
      • Bypassing UAC
      • Access Token Impersonation
    • Linux PrivEsc
      • Linux Kernel Exploit
      • Misconfigured Cron Jobs
      • Exploiting SUID Binaries
      • shells
      • File Permissions
  • ☠️Death Eaters
    • Post Exploitation
      • Windows
      • Linux
  • 🪄OLLIVANDERS
    • nmap
      • Host Discovery
      • Port Scan
      • Service & OS
      • NSE
      • Firewall/IDS Evasion
      • Scan Optimization
      • Misc. Methods
    • ffuf
    • Hydra
    • Metasploit Framework
      • Architecture
      • Must to Know
      • msfvenom
      • Auxiliary Modules
      • Service Enumeration
      • Vulnerability Scanning
      • Imports
      • Automating
    • Vulnerability Scanners
    • Wireshark
  • 🚂Platform 9(3/4)
    • Auth-Auth
      • Authentication
        • Password-based Authentication
        • Basic Authentication
        • Multi-factor Authentication
        • Access Token
        • Token-based Authentication
          • JWT
          • OAuth 2.0
    • Secure Headers
      • Content-Security-Policy (CSP)
    • Cryptography
      • Caesar Cipher
  • ⛲Port Pensieve
    • Enumeration
      • SMB & NetBIOS
      • SNMP
    • Wordlists
  • 🔆DUELS
    • Pivoting
    • SMB Relay Attack
  • 🗺️Marauder's Map
    • Web Application Pentesting
    • API Pentesting
      • GraphQL
        • Primer
    • Mobile Application Pentesting
  • 🎧SIDE CHANNEL
    • Side Channel Analysis
    • Timing Side-Channel Attacks
      • Vulnerable Login
  • 🥃Sky
    • Cloud Basics
    • Cloud Management
      • Shared Responsibility Model
    • Using Cloud Resources
      • Monitoring & Alerts
      • Identity & Access Management
      • Scalability & Availability
      • Solution Design
    • Cloud Providers
    • Cloud Security & Regulatory Compliance
      • Resource Protection
      • ICCA: Cloud Security & Regulatory Compliance
    • ICCA Preparation
      • Knowledge Tests
      • Lab
  • 🔷Obsidian
    • Pentest Engagement
      • Scoping
    • Pentest Ethics
      • Rules of Engagement
    • Auditing Fundamentals
      • Process/Lifecycle
      • Pentest & Security Auditing
      • GRC
      • Standards, Frameworks & Guidelines
      • From Audit to Pentest
  • 💢Threat Modeling
    • Why Threat Model?
  • 📡THREAT INTEL
    • Threat Intelligence
    • Tool Dump
  • 📱Anything-Mobile-IoT
    • Firmware
    • Firmware Analysis
      • Example: CVE-2016-1555
    • Firmware Installation/Flashing
  • 🎉Mischeif
    • Social Engineering
    • Phishing
      • GoPhish
    • Pretexting
Powered by GitBook
On this page
  • Windows Password Hashes
  • SAM Database
  • LM (LanMan)
  • NTLM (NTHash)
  1. Flaws w/ Magical Frameworks
  2. Windows

Credential Dumping

Windows Password Hashes

Windows stores user account passwords in a special database called the Security Accounts Manager (SAM). However, instead of saving passwords directly, it converts them into hashes using a mathematical process called hashing. Hashing transforms data into a unique fixed-length value using an algorithm, and the result is called a hash or hash value.

For authentication, Windows relies on the Local Security Authority (LSA), which verifies user credentials against stored hashes.

Older Windows versions (up to Windows Server 2003) used two types of password hashes: LM (LAN Manager) and NTLM (NT LAN Manager). However, due to security weaknesses, LM hashing was disabled starting from Windows Vista, and only NTLM hashing has been used since then.

SAM Database

The Security Account Manager (SAM) is a database in Windows that manages user accounts and passwords. Instead of storing plain passwords, Windows hashes them for security.

The SAM database file is locked while the system is running, meaning it cannot be copied directly. Because of this, attackers often use in-memory techniques to extract password hashes from the LSASS (Local Security Authority Subsystem Service) process instead.

To improve security, modern Windows versions encrypt the SAM database using a syskey. However, accessing LSASS and extracting hashes requires administrative privileges.

LM (LanMan)

LAN Manager (LM) hashing was the default password hashing algorithm in Windows before NT4.0. It converts user passwords into hashes using a simple process:

  • The password is split into two chunks of seven characters each.

  • All letters are converted to uppercase, reducing complexity.

  • Each chunk is hashed separately using the DES (Data Encryption Standard) algorithm.

LM hashing is considered weak and outdated because it does not use salting, making it vulnerable to brute-force and rainbow table attacks. This is why modern Windows versions have disabled LM hashing by default.

NTLM (NTHash)

NTLM (NT LAN Manager) is a set of authentication protocols used in Windows to verify user identities. When a user logs in, their password is hashed and compared for authentication.

From Windows Vista onwards, LM hashing is disabled, and NTLM hashing is used instead. When a user account is created, the password is encrypted using the MD4 hashing algorithm, and the original password is discarded.

NTLM improves upon LM hashing by:

  • Not splitting passwords into chunks, making them harder to crack.

  • Being case-sensitive, increasing complexity.

  • Allowing symbols and Unicode characters, strengthening security.

While NTLM is an improvement over LM, it is still vulnerable to modern password attacks, leading to the adoption of stronger authentication methods like Kerberos.

PreviousFile System VulnerabilitiesNextPassword Search in Windows Configuration Files

Last updated 4 months ago

🖼️