WINHELLO2hashcat
#11
i was waiting for so long to try this script, now i have a pin secured laptop in front of me and it seems to be a little bit different

this is the setup right now

  1. i was able to get an image of the onboard mmc storage, not encrypted so
  2. extracted the ntlm hash with mimi, hash was fast cracked (it is a simple password (wordnumberword)), so first of all i was happy
  3. booting and the laptop tells me plz provide the pin -> okay???
  4. extracted the desired folders and tried the script
  5. error GUID file (2.dat) missing -> well okay saw the info regarding TPM with 15.dat
  6. BUT i have the 15.dat which should be missing if TPM is used? (the laptop seems to have a tpm chip, but i cannot really tell from bios whether it is activated or not due to secure boot disabled and no keys available
  7. BUT also 1.dat tells MS Platform Crypto Provider so it should be activated?

ist there a possibility to circumvent the pin and instead use the pass? given the SIDs and folderstructure there is only this one user account 

the input window tells PIN but there is no arrow or anything else, it also only accepts digits and does an autoenter after 4 or 5 digits

for me it doesnt matter, i can do my research with the plain data but maybe you are interested in this one dataset?

FAST EDIT: question, the missing pinguid, how should the guid look like as your script accepts the folderstructure or the pinguid
Reply
#12
What does the --verbose tell ?

In either way, if there is no PIN_GUID in the NGC\GUID\Protectors\1-folder (2.dat), and the 1.dat (same folder) tells you "MS Platform Crypto Provider" is used, this means that the values are stored in the TPM-chip.

As a reminder, with a MS Online Account, only a PIN-sign-in is set up during installation. The user can change this manually afterwards in the Settings > Accounts > Sign-in Options to allow multiple sign-in possibilities.
Reply
#13
Do you have a sample command that can be supplied to hashcat to crack these? I have the hash but am a little confused on where to add the PIN salt and iterations.
Reply
#14
If your hash is formatted as found here https://hashcat.net/wiki/doku.php?id=example_hashes, you are good to go. (Everything is included in the hash.)
If your PIN is (4 ?) digits only, a mask-attack will do fine. For four digits this would be: -a 3 ?d?d?d?d
Reply
#15
(04-14-2022, 01:25 PM)Banaanhangwagen Wrote: What does the --verbose tell ?

In either way, if there is no PIN_GUID in the NGC\GUID\Protectors\1-folder (2.dat), and the 1.dat (same folder) tells you "MS Platform Crypto Provider" is used, this means that the values are stored in the TPM-chip.

As a reminder, with a MS Online Account, only a PIN-sign-in is set up during installation. The user can change this manually afterwards in the Settings > Accounts > Sign-in Options to allow multiple sign-in possibilities.

It looks like I'm in the same boat here regarding the 2.dat missing and 1.dat says crypto provider. My machine also allows for a password instead of the just the pin. Can this tool be utilized for that as well or is there a different tool that handles that? Apologies if this is too general of a question for this thread.
Reply
#16
As you can read in the first post, this tool only does the PIN.
If you want to crack the password-hash, you need an other tool for extracting the NTLM (for example secretsdump https://github.com/fortra/impacket)
Reply
#17
Thank you for your outstanding work. This invaluable tool helped log into my father's PC after his unexpected passing and recovered multiple accounts from a browser session.
Reply