Ethical Hacking: How does Windows SAM store usernames and hashed passwords?

Home » Exam » Ethical Hacking: How does Windows SAM store usernames and hashed passwords?

Table of Contents

What data can Meterpreter extract from the Windows SAM?
Question
Answer
Explanation
What SAM contains
How attackers extract it (exam context)
Why it matters in Meterpreter workflows
Incorrect options
Defensive notes

What data can Meterpreter extract from the Windows SAM?

In Ethical Hacking: Meterpreter, DNS & ICMP Attacks, learn how the Windows SAM stores usernames and hashed passwords, how attackers extract these credentials post-exploitation, and how to defend against SAM dumping.

Question

What kind of data can be extracted from the Windows SAM database?

A. System log events
B. Antivirus signatures
C. Application license keys
D. Usernames and hashed passwords

Answer

D. Usernames and hashed passwords

Explanation

SAM is the central repository of credential hashes. The Windows Security Account Manager (SAM) database stores local user account names and their credential hashes (NTLM), which attackers target for offline cracking or pass-the-hash operations.

What SAM contains

SAM maintains local account metadata and NTLM password hashes tied to Security Identifiers (SIDs) and Relative IDs (RIDs).

On-disk, it resides at C:\Windows\System32\config\SAM and is also loaded under HKLM\SAM; hashes are protected by system keys derived from the SYSTEM hive and DPAPI mechanisms.

How attackers extract it (exam context)

Common approaches include Volume Shadow Copy abuse, live registry hive export (e.g., reg save of SAM and SYSTEM), and offline imaging for hash extraction.

Post-exploitation tools often use functions akin to “hashdump” or “secretsdump” to derive NTLM hashes from SAM using the SYSTEM hive boot key; Meterpreter modules can automate this in-memory.

Why it matters in Meterpreter workflows

With NTLM hashes, attackers can attempt pass-the-hash lateral movement, privilege escalation, or offline cracking to recover plaintext passwords.

On domain-joined endpoints, SAM yields local accounts only; domain credentials reside in ntds.dit on Domain Controllers, which requires different collection methods.

Incorrect options

A. System log events: Stored in Windows Event Logs (e.g., Security, System), not in SAM.

B. Antivirus signatures: Maintained by AV/EDR products in their own directories, not SAM.

C. Application license keys: Typically in application-specific registry paths or files, not in SAM.

Defensive notes

Enable LSA Protection and Credential Guard; restrict SeBackupPrivilege and interactive admin use.

Monitor and block VSS abuse, registry hive exports, and suspicious access to SAM/SYSTEM hives; deploy EDR with memory forensics and tamper protection.

Ethical Hacking: Meterpreter, DNS & ICMP Attacks certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Ethical Hacking: Meterpreter, DNS & ICMP Attacks exam and earn Ethical Hacking: Meterpreter, DNS & ICMP Attacks certificate.