Skip to content

Windows NTLM hash dump utility written in C language, that supports Windows and Linux. Hashes can be dumped in realtime or from already saved SAM and SYSTEM hives.

License

Notifications You must be signed in to change notification settings

Retr0-code/hash-dumper

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

82 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Windows NTLM hash dump utility written in C language, that supports Windows and Linux.

Hash dumper has got 2 modes:

  • Realtime mode (only for windows);
  • Extraction mode (dumps from saved SAM and SYSTEM hives files);

GitHub issues GitHub closed issues GitHub release (latest by SemVer including pre-releases) GitHub pull requests

GitHub License GitHub commit activity (branch)

Linux support NTLMv1 NTLMv2

Table of content

Responsibility

The author is not responsible for the actions of third parties committed while using the provided software. This software is regarded as a tool for legal penetration testing or conducting research. In case of misuse, the author does not bear any responsibility for the actions of third parties.

Building the project

For building required OpenSSL >= 3.0 or OpenSSL 1.1.1 library. Use cmake to generate a solution for Visual Studio or Make file. If CMake cannot find OpenSSL, than set OPENSSL_ROOT_DIR and OPENSSL_LIB_DIR variables.

If OpenSSL >= 3.0 was chosen, than legacy provider have to be compiled for RC4 and DES

Basic setup

Cloning repository

$ git clone https://github.com/Retr0-code/hash-dumper
$ git submodule update --init

If You work alone

$ git branch dev_<username>
$ git checkout dev_<username>
$ git push -u origin dev_<username>

OR

If You work in a small team

$ git checkout dev_<team_tag>
$ git pull

Building using cmake

Use BUILD_ARCH parameter to specify architecture of output binary

Architectures:

  • amd64 (default);
  • i386;

Use BUILD_TARGET parameter to specify compiling configuration

Configurations:

  • RELEASE (default);
  • DEBUG;

Manual

You can use this utility to dump NTLMv1/2 hashes from already compromised host by using --realtime flag

> ./hash_dumper.exe --realtime
[+] Hives successfully opened
[+] Successfully dumped bootkey: 2766FA60DBAB4DEE67237AC942E35271
[+] Successfully hashed the bootkey: 966408e98667069a4884956c5e397575

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9cf3445f9555a4c246fe2c3c2446b103:::
sandbox:1002:aad3b435b51404eeaad3b435b51404ee:67b6acadb87c12e9d84e6e73b6883601:::

[+] Successfully finished

Otherwise You can extract hashes from already saved hives using parameters --sam <path_to_sam_hive> and --system <path_to_system_hive>

> ./hash_dumper.exe --sam hives/sam --system hives/system
[+] Hives successfully opened
[+] Successfully dumped bootkey: 2766FA60DBAB4DEE67237AC942E35271
[+] Successfully hashed the bootkey: 966408e98667069a4884956c5e397575

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9cf3445f9555a4c246fe2c3c2446b103:::
sandbox:1002:aad3b435b51404eeaad3b435b51404ee:67b6acadb87c12e9d84e6e73b6883601:::

[+] Successfully finished

If You supply all parameters only --realtime will work.