05-06-2023, 07:51 AM
(This post was last modified: 05-06-2023, 08:07 AM by Karsten Evans.)
(05-04-2023, 10:32 PM)Banaanhangwagen Wrote: If the "recovered" line mentions 1/1, you'll have to double-check the potfile.
Simply open it with Notepad for example.
Done that it just shows the hash.
Also the winhello2hashcat.py
seems to take the GUID in the proctector\1\2.dat file and says its user 'None'
then it does a for loop thru the files in the Keys folder and then matches the GUID taken from the 2.dat.
I've checked in the register and the GUID with the key I want is first and is skipped as it doesn't match..
I've tried to use PINGUD instead of Ngc but nothing works as they never match..
Even asked Bard and Bing for help but bard can't code for toffee and Bing is just dumb.
Learnt a bit about Python tho.
ck.desctiption and the pinguids aren't texts are they one is variable and last is list of single char.s?
I tried just adding the guid I wanted and used in pinguids but it never matched despite matching on prinft(f ).
output from WINHELLO2hashcat.py
--
[!] Found PIN GUID {E15FE536-86B8-49D7-B982-D662D77F412A} for user "None" in C:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc\{90AF981B-3BB7-406F-B442-C1963CA116DA}\Protectors\1.
[+] Processing key file C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\0a1e8a2c2f462e76b417d23c09cb96b2_1b1b3e72-ee7d-40b1-9274-44218838fea3
Key with GUID 9773f96f9d334d77 found. <== I think this is the GUID for my hotmail /live user which has the PIN
Skipping key 9773f96f9d334d77 because it's not matching the targeted GUID(s).
..
[+] Processing key file C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\168e7b8f3d0218d0f63c777b0d0f42e6_1b1b3e72-ee7d-40b1-9274-44218838fea3
Key with GUID L.KES found. <== local user
Skipping key L.KES because it's not matching the targeted GUID(s).
...
[+] Processing key file C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de2ab330c3c4b55a636d661421690fe6_1b1b3e72-ee7d-40b1-9274-44218838fea3
Key with GUID {E15FE536-86B8-49D7-B982-D662D77F412A} found.
[++] SYSTEM MASTER_KEY - decrypted with the LSA DPAPI secret key
----------------------------------------------------------------
I've run hashcat on the Hash it returns for {E15FE536-86B8-49D7-B982-D662D77F412A} twice and
it only returns a recovered if I give 7 x ?d
but then shows blank line using hashcat --show hashcat.potfile.
notepad haschcat.potfile just shows a copy of the hash?
Am I wrong in thinking it is the the first guid listed in the keys folder that is my live user which uses the PIN
is the GUID in the protector\1\2.dat always the last user signed in?
How do I find the GUID for all users in the registry?
do the file names in the keys folder mean anything? I searched the registry and it doesn't find them.
I did a regedit search for the user Friendly name of my Live username and it matched the first entry in the Keys folder
ie. 9773f96f9d334d77_live-id
How do I hack the pin for that user or the the last/current logged in user.
I tried to match the text 9773f96f9d334d7
if ' 9773f96f9d334d7' in penguids;
and it never matched..
also tried
if ' 9773f96f9d334d7' in '{penguids}'; etc..
Guessing its the ascii[0]s mess it up.
I'm more a perl guy than Python, only just started looking at python because of this script.
Is it possible to just hack them all to be sure.
Can i do the PIN hack manually using hashcat tools?
It is my PC and I'm admin.. just have some old local users and two Hotmail/live accounts.
Finally got it to work and it shows blank/nada/nothing... frustrating or what? :-P