sam
¶
$ target-query <path/to/target> -f sam
Module |
|
Output |
|
Module documentation
SAM plugin.
- References:
MS-SAMR Specification
Reversing samsrv.dll
Function documentation
Dump SAM entries
The Security Account Manager (SAM) registry hive contains registry keys that store usernames, full names and passwords in a hashed format, either an LM or NT hash.
- References:
- Yields SamRecords with fields:
rid (uint32): The RID. fullname (string): Parsed fullname. username (string): Parsed username. admincomment (string): Parsed admin comment. usercomment (string): Parsed user comment. lastlogin (datetime): Parsed last login date. lastpasswordset (datetime): Parsed last password set date. lastincorrectlogin (datetime): Parsed last incorrect login date. flags (uint32): Parsed flags. countrycode (uint16): Parsed country code (international country calling code). failedlogins (uint32): Parsed failed logins, reset after sucessful login. logins (uint32): Parsed logins (max 0xFFFF = 65535). lm (string): Parsed LM-hash. nt (string): Parsed NT-hash.