• 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Pulling local LM and NTLM password hashes from the SAM file using pwdump6 (CLI)
#1
Pulling local LM and NTLM password hashes from the SAM file using pwdump6 (CLI)

Well, being inbetween jobs I've had chance to play with some new tools. I dusted off my domain control here and set to work.


What is this SAM file?

The SAM file holds the user names and password hashes for every account on the local machine, or domain if it is a domain controller.
SAM stands for Security Account Manager.


Where can I find this SAM file?

You can find the SAM under %systemroot%system32/config (C:/WINDOWS)

If you have physical access to the machine and they won't notice that It's gone down, (assuming it's not something like a PDC and now suddenly nothing works) you can just boot from a Live CD and make a copy of the SAM.
However this folder is locked to all accounts including Administrator while the machine is running. The only account that can access the SAM file during operation is the "System" account.


How does pwdump6 get the hashes then?

pwdump6 uses DLL injection in order to use the system account to view the password hashes.


What is pwdump6?

pwdump6 is apparently a significantly modified version of pwdump3e, (I've never had the joy of using pwdump3e).
pwdump6 is able to extract NTLM and LanMan, (LM), hashes from a Windows machine which you can then output to a text file.
It's also been intergrated into a program called fgdump which I couldn't get to work. So screw fgdump.

In order to work it must be run under an Administrator account, or be able to access an Administrator account on the computer where the hashes are to be dumped.

If I recall correctly, LM hashes are used on XP and pre-XP machines whereas NTLM took over in Vista onwards. (Still being able to use LM hashes but they're disabled by default). - Correct me if I'm wrong here.

You can download and read a lot more about pwdump6 here


Steps in using pwdump6

If you've used CLI tools before then this will be a walk in the park, it's really easy.

1) Download pwdump6

2) Execute pwdump.exe from a command prompt. (double clicking the file will just make you look like an idiot)

3) You can use pwdump --help for syntax.

[Image: pwdump6-01.png]


4) Execute the program with the required switches. I used:

Code:
pwdump.exe -o out.txt -u Mark -x 127.0.0.1

REALLY simple.
-o is telling it to put the hashes into a file called out.txt
-u is telling it to use my account to authenticate
-x is because I'm attacking a 64bit machine
127.0.0.1 is localhost (aka my local machine).

[Image: pwdump6-02.png]


5) And here's the output. I literally took 3 seconds to run.

[Image: pwdump6-03.png]


An example of an extracted hash would be this:
Code:
Administrator:500:NO PASSWORD*********************:259745CB123A52AA2E693AAACCA2DB52:::

With 259745CB123A52AA2E693AAACCA2DB52 being their hashed password. No prize for whoever posts what the unhashed password is.


If you're using this on a domain like I did but didn't document it then for your user you'd have your domain admin acc DOMAIN\account, you can also attack different machines /servers within the network simply by replacing 127.0.0.1 with the machine / server name.

  Reply
#2
fgdump > pwdump6. FACT.
[Image: nomnomnom.jpg]
;7$=v?%v%#5>v7v8994
The decrypt code is V, I could not make it any simpler!
  Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  GPU bruteforcing NTLM hashes using oclHashcat (CLI) Mark 5 15,281 08-10-2011, 09:45 PM
Last Post: Drumm
  Pulling / setting up a Microsoft Exchange account into Mozilla Thunderbird ? Mark 0 4,516 26-08-2011, 02:30 PM
Last Post: Mark
  How to install and configure a FreeNAS 0.7.2 / 8.0 box - SMB, Local users and RAID 1 Mark 0 17,672 22-05-2011, 06:24 PM
Last Post: Mark

Forum Jump: