Home page logo

pen-test logo Penetration Testing mailing list archives

Extracting NT password hashes from registry export file
From: David Watson <david.watson () ioko365 com>
Date: Wed, 31 Oct 2001 15:58:49 +0000


Hopefully someone will have come across this problem before and will be able to offer some advice to save me some unnecessary pain. I`m trying to find a method to quickly and easily extract the NT password hashes from a registry export text file (ie regedit /e reg.txt) of a Win2K server.

I have no file upload capability to the server in question, so I cannot use interactive methods such as pwdump/samdump to export the NT password hashes from memory (or pwdump3 with DLL injection for syskey protected hashes). However, I have been able to export a copy of registry as local administrator and download this data locally. Short of opening the ASCII export in a hex editor, locating the correct password hash starting off-set location in [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4] and manually extracting the first 16 bytes for the LMHash and the next 16 bytes for the NTHash from the "V"=hex: record for each account (which will be skeyed on further obfuscated via DES encryption with the user's RID as the key I believe), I can`t find any tool or current technique to do this more easily.

Has anyone ever tried to do this before, or come across/written a tool capable of reading an entire export file and extracting all the necessary data? Is there a better way to approach this problem that I might have missed? The source code for pwdump has a method to handle the de-obfuscation of the hashes but i`m surprised that I cannot find any previous papers or tools that attempt this process.

As an aside, in the past on NT4 I would have updated the Windows repair directory using rdisk and extracted the hashes from the SAM. This only appears to be possible now in Win2K and above when using the GUI as command line rdisk support was apparently dropped recently (MS Q231777). Has anyone found a method of up refreshing the repair directory from the command line in Win2K yet?

Any advice appreciated, i`m happy to summarise my findings and post them here for others.



David Watson                    Voice:  +44 1904 438000
Technical Manager               Fax:    +44 1904 435450
ioko365                 Email:  david.watson () ioko365 com

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]