Well, you can be quite frustrated when beloved FGdump just does not work without particular reason. Password hashes are so close, but yet not achievable. But it seems there is a kind of remedy (or call it: “alternative way”) for getting the password hashes. Here is the story.
All right, we know that password hashes are stored in the registry, in the key HKLM/Security/Sam. Normally you must have administrator privileges to access it. Even you are the local admin – you still have to assign manually full control permission for this subkey to yourself. Then you may see something like this:
The juicy stuff physically is stored in two files:
C:/windows/system32/config/sam
and
C:/windows/system32/config/system
So theoretically if we would be able to get the content of those files we may pass it to Cain and play a little with it… But unfortunately those files are locked, so they can’t be copied or accesses by any way. If you will try, you will immediately have a nice error like this:
So it looks like no chance. Well, note quite. There is an interesting approach called “Dumping File Sectors Directly from Disk using Logical Offsets”, which surprisingly allow you to copy files which are locked and currently used. There is nice tool called FDump which allows you to do this. More details here: http://www.codeproject.com/KB/files/FDump.aspx
If you don’t want to go to deep into the theory (which is recommended btw), - here is the practical solution.
The target:
We must have own separate copies of both files: C:/windows/system32/config/sam and C:/windows/system32/config/system in target system (the second one is needed because of the “boot key” is stored there) so then we may process it somewhere else with Cain & Abel.
Step 1:
Run the fdump.exe with the following parameters:
fdump.exe "C:/WINDOWS/system32/config/SAM" sam.dat
fdump.exe "C:/WINDOWS/system32/config/system" system.dat
Expected result:
Step 2:
Run cain.exe and do the following thing: Select “Cracker”, then “Add to list” and then “Import hashes from Sam database”.
Then:
So after all manipulations it should looks more or less like this:
Then click “Next”, and here we are!
The rest is up to you. Now you probably need a good rainbow tables and a bit of luck. :-)
Afterword:
You may be tempted to explore the copied registry manually and see what else is there (your curiosity is more then normal), so here is the quick "how to" browse downloaded registry files with regedit:
Open regedit, and make single click on HKLM branch (important!):
Then in the main menu select “File” and “Load Hive”, then select our file: C:/myfiles/sam
...and finally provide a key name. This is the key where a new hive will be attached to.
Do not forget to assign proper permissions to this branch:
Close the regedit and open it again. Now you can browse everything! :)
分享到:
相关推荐
dump-windows-password-hashes-efficientlydump-windows-password-hashes-efficiently
centos破解root密码,两种方式。
and copy a SAM registry key, where password hashes are stored. Also, users can sniff a network and recover password hash from sniffer results. ANTExp will help you in your way to complete system ...
!! 安全密码哈希提供了对所有Joomla的轻松访问! 密码哈希算法和Drupal 7 SHA-512哈希算法。 兼容:Joomla! 2.5。
计算facebook sdk需要的key hashes。使用方法: 1,安装自己的apk,带正式签名 2,安装本apk,输入待寻找apk的包名,点击计算便会得到
Windows Credentials Editor (WCE)是一款功能... Extended support to obtain NTLM hashes without code injection Added feature to dump login cleartext passwords stored by the Digest Authentication package
hashes
恢复hashes,查看域缓存凭证。高级功能中组和用户,你可以使用拖拽操作指定用户到新组,查看和修改NT缓存,windows序列号可以检索你的win产品密钥,MSoffice产品键和SQL服务器产品密钥。网络密码中可以查看那些可以...
Invoke-DCSync - extracts domain accounts from Active Directory, including password hashes Get-ADDatabase - steals Active Directory database remotely Dump-ADDatabase - dumps domain accounts from an ...
主要介绍了Redis教程(四):Hashes数据类型,本文讲解了Hashes数据类型概述、相关命令列表和命令使用示例等内容,需要的朋友可以参考下
Hashie是扩展Hashes一个工具集合让它们更加实用
资源来自pypi官网。 资源全名:d8s_hashes-0.6.0.tar.gz
advanced-hashes-hashketball-atx01-seng-ft-080921-源码.rar
前端开源库-ripple-hashesRipple哈希,计算Ripple对象的哈希
NULL 博文链接:https://huanyue.iteye.com/blog/660896
密码清单 介绍 密码列表可以追溯到信息安全的根源。 他们编译了一个流行密码列表。 通常可以优化蛮力攻击,以尽快识别(弱)密码。 背景 ... 该系统可帮助我们确定受到某些数据泄露影响的客户并向其发出警报。...
提取哈希.py 该脚本读取文件并尝试使用正则表达式从中提取哈希值。 结果存储在名为“format-original_filename....extract-hash.py: Extracts hashes from a text file Extracted hashes: wordpress_md5: 5 md5: 192
Examples of hashcat-supported hashing algorithms are Microsoft LM hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, and Cisco PIX. Hashcat has made its way into the news many times for the ...