SAM Dumping

SAM stands for the Security Account Manager which manages all the user accounts and their passwords in Windows and starts up on boot. These passwords are hashed and then stored in SAM. LSA (Local Security Authority) is responsible to verify user login by matching the password hashes with the database maintained in SAM. By default, Windows does not provide any functionality to extract the hashes of the local user while it is booted. However, these credentials can be extracted by reading them from the SAM Hive and memory. The samdump command can be used to dump the NTLM and LM hash of all local users in the current host. If this command is run on a Domain Controller, then it will dump the hashes for all the users including the password history.