Commands for interacting with a remote Security Accounts Manager
For help on a subcommand, use Sam <subcommand> -h
Enumerates aliases
Sam enumaliases [options] <ServerName>
Name
Aliases
Value
Description
<ServerName>
<String>
RPC server to interact with
Name
Aliases
Value
Description
-ContinueOnError
<SwitchParam>
Continue even if errors occur
Default: True
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputFields
<String[]>
Fields to display in output
Possible values:
AccountName
Domain
AccountType
Id
Sid
MemberCount
AdminComment
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
-Spnego
<SwitchParam>
Uses SP-NEGO for authentication
-AuthEpm
<SwitchParam>
Authenticates EP mapper requests
-EncryptEpm
<SwitchParam>
Encrypts EP mappend requests
-EncryptRpc
<SwitchParam>
Encrypts RPC messages
-PreferSmb
<SwitchParam>
If the interface supports named pipes, attempt to connect over the named pipe instead of TCP
-SpnOverride
<SpnMapping[]>
Specifies an SPN override
-AuthProxy
<EndPoint>
Endpoint of auth proxy
-Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Name
Aliases
Value
Description
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
-Dialects
<Smb2Dialect[]>
List of SMB2 dialects to negotiate
Possible values:
Smb2_0_2
Smb2_1
Smb3_0
Smb3_0_2
Smb3_1_1
-RequireSigning
-signreq
<SwitchParam>
Requires packets to be signed
-RequireSecureNegotiate
<SwitchParam>
Requires the client to authenticate the negotiation
-EncryptSmb
<SwitchParam>
Requires an encrypted connection
Name
Aliases
Value
Description
-F, -FollowDfs
<SwitchParam>
Checks for and follows DFS referrals (default=true)
-DfsReferralBufferSize
<Int32>
Specifies the size for the DFS referral buffer (default=4096)
Sam enumaliases attempts to query the general info and attributes for the
groups returned by the server.
Example 1 - Enumerate all aliases Sam enumaliases LUMON-DC1 -UserName milchick -Password Br3@kr00m!
Enumerates groups
Sam enumgroups [options] <ServerName>
Name
Aliases
Value
Description
<ServerName>
<String>
RPC server to interact with
Name
Aliases
Value
Description
-ContinueOnError
<SwitchParam>
Continue even if errors occur
Default: True
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputFields
<String[]>
Fields to display in output
Possible values:
AccountName
Domain
AccountType
Id
Sid
Attributes
MemberCount
AdminComment
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
-Spnego
<SwitchParam>
Uses SP-NEGO for authentication
-AuthEpm
<SwitchParam>
Authenticates EP mapper requests
-EncryptEpm
<SwitchParam>
Encrypts EP mappend requests
-EncryptRpc
<SwitchParam>
Encrypts RPC messages
-PreferSmb
<SwitchParam>
If the interface supports named pipes, attempt to connect over the named pipe instead of TCP
-SpnOverride
<SpnMapping[]>
Specifies an SPN override
-AuthProxy
<EndPoint>
Endpoint of auth proxy
-Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Name
Aliases
Value
Description
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
-Dialects
<Smb2Dialect[]>
List of SMB2 dialects to negotiate
Possible values:
Smb2_0_2
Smb2_1
Smb3_0
Smb3_0_2
Smb3_1_1
-RequireSigning
-signreq
<SwitchParam>
Requires packets to be signed
-RequireSecureNegotiate
<SwitchParam>
Requires the client to authenticate the negotiation
-EncryptSmb
<SwitchParam>
Requires an encrypted connection
Name
Aliases
Value
Description
-F, -FollowDfs
<SwitchParam>
Checks for and follows DFS referrals (default=true)
-DfsReferralBufferSize
<Int32>
Specifies the size for the DFS referral buffer (default=4096)
Sam enumgroups attempts to query the general info for the groups returned by
the server.
Example 1 - Enumerate all groups Sam enumgroups LUMON-DC1 -UserName milchick -Password Br3@kr00m!
Enumerates user accounts
Sam enumusers [options] <ServerName>
Name
Aliases
Value
Description
<ServerName>
<String>
RPC server to interact with
Name
Aliases
Value
Description
-ContinueOnError
<SwitchParam>
Continue even if errors occur
Default: True
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputFields
<String[]>
Fields to display in output
Possible values:
AccountName
Domain
AccountType
Id
Sid
FullName
AdminComment
PasswordLastSet
LastLogon
BadPasswordCount
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
-Spnego
<SwitchParam>
Uses SP-NEGO for authentication
-AuthEpm
<SwitchParam>
Authenticates EP mapper requests
-EncryptEpm
<SwitchParam>
Encrypts EP mappend requests
-EncryptRpc
<SwitchParam>
Encrypts RPC messages
-PreferSmb
<SwitchParam>
If the interface supports named pipes, attempt to connect over the named pipe instead of TCP
-SpnOverride
<SpnMapping[]>
Specifies an SPN override
-AuthProxy
<EndPoint>
Endpoint of auth proxy
-Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Name
Aliases
Value
Description
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
-Dialects
<Smb2Dialect[]>
List of SMB2 dialects to negotiate
Possible values:
Smb2_0_2
Smb2_1
Smb3_0
Smb3_0_2
Smb3_1_1
-RequireSigning
-signreq
<SwitchParam>
Requires packets to be signed
-RequireSecureNegotiate
<SwitchParam>
Requires the client to authenticate the negotiation
-EncryptSmb
<SwitchParam>
Requires an encrypted connection
Name
Aliases
Value
Description
-F, -FollowDfs
<SwitchParam>
Checks for and follows DFS referrals (default=true)
-DfsReferralBufferSize
<Int32>
Specifies the size for the DFS referral buffer (default=4096)
Sam enumusers attempts to query the general and account info for the users
returned by the server.
Example 1 - Enumerate all accounts Sam enumusers LUMON-DC1 -UserName milchick -Password Br3@kr00m!