samdump2 NTLM hash - Printable Version

samdump2 NTLM hash - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: samdump2 NTLM hash (/thread-6211.html)

samdump2 NTLM hash - miccee - 01-17-2017

Hi,

I was trying to extract Windows 10 hash from SYSTEM and SAM using Samdump2 but for some reason I'm not able to recover the known password.

I didn't use The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Live during boot, I basically ran cmd in admin mode.

Code:
reg save hklm\sam c:\ sam

Code:
reg save hklm\system c:\system

Transferred both files to shared The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux folder for VM (/media/shared)

In The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)

Code:
samdump2 -o winhash /media/shared/system /media/shared/sam

Transferred winhash back to windows hashcat folder

On Hashcat

Code:
hashcat64 -m 1000 winhash -a 3 ?a?a?a?a?a?a?a?a

But no luck.
When I tried an NTLM generator online, the hash was different from winhash too...

Appreciate the help. Thanks

RE: samdump2 NTLM hash - bigblacknose - 01-17-2017

This is not a hashcat issue.
You will have to figure out why you won't get the hash you'd expect.
Try using different tools to dump the hashes from SAM.

Some older versions of different tools also sometimes gave corrupt hashes when dumping.
Samdump2 1.0.1 had this issue. Also some other versions of FGDump, Cain etc.

(google "stamp out hash corruption" from BlackHat 2012)

// BBN