SAM / SYSTEM Dump
SAM database contains local account NTLM hashes. Needs SYSTEM + SAM hives.Copy Registry Hives
Volume Shadow Copy (If Locked)
Extract Hashes (Attacker)
Crack NTLM Hashes
DPAPI — Saved Passwords
DPAPI protects Chrome/Edge passwords, Wi-Fi keys, RDP credentials.Chrome/Edge Passwords
Encrypted DB location:Decrypt with Mimikatz
Decrypt with SharpChrome
Wi-Fi Passwords via DPAPI
Windows Vault / Credential Manager
List Stored Credentials
Exploit Saved Credentials (runas /savecred)
Ifcmdkey /list shows stored credentials: