Gathering & Retrieving Windows Password Hashes
Penetration tests might involve Windows user password auditing. In Windows systems (NT, 2000, XP, Vista, 7) user password hashes (LM and NTLM hashes) are stored in registry file named SAM (Security Accounts Manager). Until recently whenever I had to extract Windows password hashes I had two alternatives: the manual way or by using Windows password auditing suites (Cain&Abel, Ophcrack, L0phtCrack etc). But yesterday I came across in the web with a very useful python script named HashGrab2. HashGrab2 automatically mounts Windows drives and extracts username-password hashes from SAM and SYSTEM files located on the Windows drives using the samdump2 utility. HashGrab2 is ideal in cases that you just want to collect the Windows password hashes in order to import them to your preferred password cracker.
SAM Database Protection:
Offline Attacks: Microsoft introduced the SYSKEY utility in order partially encrypt the on-disk copy of the SAM file. Information about the SYSKEY encryption key is stored in the SYSTEM file located under the path %sysroot%/System32/config/.
Online Attacks: The SAM file cannot be moved or copied while Windows is running, since the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file, and will not release that lock until the operating system has shut down or a blue screen exception has been thrown.However, the in-memory copy of the contents of the SAM can be dumped using various techniques, making the password hashes available for offline brute-force attack.
HashGrab2:
HashGrab2, written by s3my0n, is an offline gathering python script that automatically discover Windows drives and extracts the username-hash pairs to user defined file. HashGrab2 must be run as root (in order to mount the Windows drives) and requires python installed. It is preferable to install samdump2 from your distribution repositories in order to automatically acquire the username-hash pairs.
HashGrab2 can be downloaded from here.
zip md5sum:0db4f35062d773001669554c8e16015a
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | user1@bt5:Scripts$ ./hashgrab2.py _ _ _ ___ | | | | | | |__ \ | |__ __ _ ___| |__ __ _ _ __ __ _| |__ ) | | '_ \ / _` / __| '_ \ / _` | '__/ _` | '_ \ / / | | | | (_| \__ \ | | | (_| | | | (_| | |_) / /_ |_| |_|\__,_|___/_| |_|\__, |_| \__,_|_.__/____| __/ | |___/ HashGrab v2.0 by s3my0n http://InterN0T.net Contact: RuSH4ck3R[at]gmail[dot]com [-] Error: you are not root |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | root@bt5:Scripts$./hashgrab2.py _ _ _ ___ | | | | | | |__ \ | |__ __ _ ___| |__ __ _ _ __ __ _| |__ ) | | '_ \ / _` / __| '_ \ / _` | '__/ _` | '_ \ / / | | | | (_| \__ \ | | | (_| | | | (_| | |_) / /_ |_| |_|\__,_|___/_| |_|\__, |_| \__,_|_.__/____| __/ | |___/ HashGrab v2.0 by s3my0n http://InterN0T.net Contact: RuSH4ck3R[at]gmail[dot]com [*] Mounted /dev/sda1 to /mnt/qWLgG5 [*] Mounted /dev/sda2 to /mnt/4sDAQO [*] Copying SAM and SYSTEM files... samdump2 1.1.1 by Objectif Securite http://www.objectif-securite.ch original author: ncuomo@studenti.unina.it Root Key : CMI-CreateHive{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} [*] Unmounting partitions... [*] Deleting mount directories... [*] Deleting ['./4sDAQO'] |
1 2 3 4 | root@bt5:Applications$cat 4sDAQO.txt Administrator:500:HASH::: Guest:501:HASH::: user1:1001:HASH::: |
DISCLAIMER: I’m not responsible with what you do with this info. This information is for educational purposes only.
A. Bechtsoudis