05-20-2017, 03:15 PM
(05-16-2017, 08:50 PM)Sherlock12 Wrote: I'm trying to extract hashes for a Windows 10 online account. As it authenticates to Microsoft servers, the hash is not stored in the SAM file. Sign in is possible with the machine offline, so the credentials must be cached somewhere on the local machine. Anyone have any experience extracting these hashes?
Authentication credentials for MS accounts are stored in registry (Win8) and system directory (Win10). Strong pbkdb2 is used to protect the credentials. No point to brute. You can successfully try to brute DPAPI master key instead to figure out user's logon password without accessing SAM hashes.