Pulling local LM and NTLM password hashes from the SAM file using pwdump6 (CLI) - Printable Version +- howtothings.co.uk (https://www.howtothings.co.uk) +-- Forum: Computing (https://www.howtothings.co.uk/forumdisplay.php?fid=4) +--- Forum: Operating System and Software Support (https://www.howtothings.co.uk/forumdisplay.php?fid=17) +--- Thread: Pulling local LM and NTLM password hashes from the SAM file using pwdump6 (CLI) (/showthread.php?tid=1060) |
Pulling local LM and NTLM password hashes from the SAM file using pwdump6 (CLI) - Mark - 04-10-2011 Pulling local LM and NTLM password hashes from the SAM file using pwdump6 (CLI) Well, being inbetween jobs I've had chance to play with some new tools. I dusted off my domain control here and set to work. What is this SAM file? The SAM file holds the user names and password hashes for every account on the local machine, or domain if it is a domain controller. SAM stands for Security Account Manager. Where can I find this SAM file? You can find the SAM under %systemroot%system32/config (C:/WINDOWS) If you have physical access to the machine and they won't notice that It's gone down, (assuming it's not something like a PDC and now suddenly nothing works) you can just boot from a Live CD and make a copy of the SAM. However this folder is locked to all accounts including Administrator while the machine is running. The only account that can access the SAM file during operation is the "System" account. How does pwdump6 get the hashes then? pwdump6 uses DLL injection in order to use the system account to view the password hashes. What is pwdump6? pwdump6 is apparently a significantly modified version of pwdump3e, (I've never had the joy of using pwdump3e). pwdump6 is able to extract NTLM and LanMan, (LM), hashes from a Windows machine which you can then output to a text file. It's also been intergrated into a program called fgdump which I couldn't get to work. So screw fgdump. In order to work it must be run under an Administrator account, or be able to access an Administrator account on the computer where the hashes are to be dumped. If I recall correctly, LM hashes are used on XP and pre-XP machines whereas NTLM took over in Vista onwards. (Still being able to use LM hashes but they're disabled by default). - Correct me if I'm wrong here. You can download and read a lot more about pwdump6 here Steps in using pwdump6 If you've used CLI tools before then this will be a walk in the park, it's really easy. 1) Download pwdump6 2) Execute pwdump.exe from a command prompt. (double clicking the file will just make you look like an idiot) 3) You can use pwdump --help for syntax. 4) Execute the program with the required switches. I used: Code: pwdump.exe -o out.txt -u Mark -x 127.0.0.1 REALLY simple. -o is telling it to put the hashes into a file called out.txt -u is telling it to use my account to authenticate -x is because I'm attacking a 64bit machine 127.0.0.1 is localhost (aka my local machine). 5) And here's the output. I literally took 3 seconds to run. An example of an extracted hash would be this: Code: Administrator:500:NO PASSWORD*********************:259745CB123A52AA2E693AAACCA2DB52::: With 259745CB123A52AA2E693AAACCA2DB52 being their hashed password. No prize for whoever posts what the unhashed password is. If you're using this on a domain like I did but didn't document it then for your user you'd have your domain admin acc DOMAIN\account, you can also attack different machines /servers within the network simply by replacing 127.0.0.1 with the machine / server name. RE: Pulling local LM and NTLM password hashes from the SAM file using pwdump6 (CLI) - Drumm - 04-10-2011 fgdump > pwdump6. FACT. |