Sam Files

What is SAM?

The Security Account Manager (SAM) file in Windows is a database file that stores user accounts and security descriptors for users on the local computer. It contains hashed passwords, which are used to authenticate users logging onto the system. The SAM file is stored in the Windows system directory, specifically at C:\Windows\System32\config\SAM. Access to the SAM file is restricted to protect this sensitive information, and it's further encrypted by tools like the Local Security Authority (LSA).

To ensure security, the SAM file is typically inaccessible while the system is running. However, it can be accessed with administrative privileges in offline scenarios, making it a target for attacks if proper security measures aren't implemented.

How is it encrypted?

Sam files are encrypted, so these files can not be accessed by a user opening the file. This is for security purposes; the SAM files contain password hashes. When a user goes to login to a system, the password is hashed and compared against the SAM file's hash.

Cracking Sam Files

Attackers would want to crack SAM files because the files contain the user's password to the system. Ways to crack the password include brute force, password lists, and rambo tables. Some programs people might use are Hashcat, DSInternals powershell module, and Mimikatz. Some issues with Mimikatz, however, are that it is great if the system has AV turned off. Hashcat is great if you have a fast computer or a great word list to put against it. DSInternals is a great AD manager and framework. I won't go into too much detail because of how advanced it is. However, the tool is very powerful and great if you have a strong understanding of AD.

---

Sources

Security Account Manager (SAM)MicrosoftLearn

What is the Windows Security Accounts Manager (SAM)?Search Enterprise Desktop