Access denied to SOFTWARE, SYSTEM etc.. Trying to find PIN

[Karsten Evans]

I  am trying to find my PIN on my laptop.
I can use the password but the reason I want to find the PIN
is that its the same as I used on my phone and I have simply forgotten the PIN on my sony Xperia as I've use my thumb for so long and can't access it now as its gone into PIN only mode.
I can't remember it and its driving me mad..

I don't want to have to reset it it as it has Teams on it authorised from my work domain and if I have to reset and reinstall, I will have let work install lots of spy software they use.
So I want to find the PIN used on two PCs a Fujitsu laptop and older Dell CAD PC.
Its the same as used on my mobile.


in the Ngc protection 1 folder  I have 1,2,3,4,... to 17.dat

it says Microsoft Software Key Storage Provider in 1.dat so its not TPM??

I run this batch
---------------
@echo off
rem Change the path to your Python executable if needed
set PYTHON="C:\Program Files\Python310\python.exe"
rem Change the path to your winhello2hashcat.py file if needed
set WINHELLO="G:\Utils\WINHELLO2hashcat-main\winhello2hashcat.py"
rem Change the path to your windows directory if needed
set WIND="C:\windows"

rem Change the path to your crypto  directory if needed
set CRYPT="C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys"
rem Change the path to your masterkey  directory if needed
set MASTR="C:\Windows\System32\Microsoft\Protect\S-1-5-18\User"
rem Change the path to your sysyem  directory if needed
set SYSM="C:\Windows\System32\config\SYSTEM"
rem Change the path to your crypto  directory if needed
set SECR="C:\Windows\System32\config\SECURITY"
rem Change the path to your sysyem  directory if needed
set SOFT="C:\Windows\System32\config\SOFTWARE"
rem Change the path to your Ngc directory if needed
set NGC="C:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc"

set PING="%username%"
rem Take ownership of the Ngc folder
TAKEOWN /f %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /r /D Y
ICACLS %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /grant "%username%"F) /t

rem Run winhello2hashcat.py with the windows and ngc arguments
pause
PYTHON %WINHELLO% --verbose --windows %WIND%  --ngc %NGC%
rem PYTHON %WINHELLO% --verbose --cryptokeys %CRYPT% --masterkey %MASTR% --security %SECR% --system %SYSM% --ngc %NGC%
pause

I rub the batch as admin and I get 

traceback (most recent call last):
  File "G:\Utils\WINHELLO2hashcat-main\winhello2hashcat.py", line 277, in <module>
    lsa_secrets = reg.get_lsa_secrets(args.security, args.system)
  File "C:\Program Files\Python310\lib\site-packages\dpapick3\registry.py", line 100, in get_lsa_secrets
    self.get_syskey(system)
  File "C:\Program Files\Python310\lib\site-packages\dpapick3\registry.py", line 41, in get_syskey
    with open(system, 'rb') as f:
PermissionError: [Errno 13] Permission denied: 'C:\\Windows\\System32\\config\\SYSTEM'

Any help?

Should I copy the registry instead of using the live hive?
Is there an easy way to do that? 
I used to use UBCD before but that nolonger works and i don't have recovery installed?
is there  utility to copy the live registry?

[Banaanhangwagen]

The registry hives on a running machine are in use and locked. You'll need to copy them first.
An easy way to do this is via CMD as admin:

Code:

reg save hklm\system c:\system.dump
reg save hklm\security c:\security.dump

Change you bat accordingly.

Also, the last part of the bat needs to be:

Code:

rem Run winhello2hashcat.py with the windows and ngc arguments
pause
rem PYTHON %WINHELLO% --verbose --windows %WIND%  --ngc %NGC%
PYTHON %WINHELLO% --verbose --cryptokeys %CRYPT% --masterkey %MASTR% --security %SECR% --system %SYSM% --ngc %NGC%
pause

Happy cracking!

[Karsten Evans]

thanks 
that has enabled it to run.
but it just finds a user None and then skips keys
"Skipping key 9773f96f9d334d77 because it's not matching the targeted GUID(s)"


then finds one
Key with GUID {FD2DACBD-B109-----------F31CD2E8} found.

This is the GUID in 2.dat

.....
[++] Values needed to convert PIN during cracking
-------------------------------------------------
PIN salt : 2528a059
PIN iterations : 10000

then there is a "$WINHELLO$*SHA512*10000*2528a------"

and it finds more users but skips them as they don't match

Key with GUID {FD2DACBD-B109----------F31CD2E8} found.

[++] Values needed to convert PIN during cracking
-------------------------------------------------
PIN salt : 2528a059
PIN iterations : 10000

$WINHELLO$*SHA512*10000*2528a059

Press any key to continue . . . 
>


what is needed to get the pin?
is this where I run hashcat?

[Karsten Evans]

This is what I get

G:\Utils\hashcat-6.2.6>hashcat --help -m 28100 >hashcat.txt

G:\Utils\hashcat-6.2.6>hashcat -m 28100 hash.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 1.2 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) HD Graphics 4600, 768/1629 MB (203 MB allocatable), 20MCU
* Device #2: Intel(R) Core(TM) i5-4300M CPU @ 2.60GHz, skipped

Minimum password length supported by kernel: 4
Maximum password length supported by kernel: 127

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

clLinkProgram(): CL_LINK_PROGRAM_FAILURE

* Device #1: Kernel ./OpenCL/m28100-pure.cl build failed.

Started: Wed May 03 12:41:00 2023
Stopped: Wed May 03 12:45:06 2023

[Snoopy]

opencl 1.2 is way to old please download a recent opencl runtime for intel cpu

after installing it should show at least opencl 2.1 when running hashcat -I

[Karsten Evans]

opencl 1.2 is way to old please download a recent opencl runtime for intel cpu

after installing it should show at least opencl 2.1 when running hashcat -I

finally found a surface PC hashcat would run on.. my i5 cad laptops/desktops Quadro are too old it seems either is run out of memory or doesn't run.   CL /winIntel is stuck at 1.2 on most of them. 

the Lenovo surface ran it though and recovery is listed as 1/1 when it finishes, but the hashcat.potfile  doesn't seem to have a PIN in it.

Weird when run with with 6 x ?d   it finds nothing, but on 7 x ?d it does but 
hashcat --show hashcat.potfile just displays
                    <==blank line!!
>

Does this mean it hasn't found the PIN .. is there anything else I need to do to find what it recovered and for which user?


any logs that show this?

[Banaanhangwagen]

If the "recovered" line mentions 1/1, you'll have to double-check the potfile.
Simply open it with Notepad for example.

[Karsten Evans]

If the "recovered" line mentions 1/1, you'll have to double-check the potfile.
Simply open it with Notepad for example.

Done that it just shows the hash.

Also the winhello2hashcat.py 
seems to take the GUID in the proctector\1\2.dat file  and says its user 'None'
then it does a for loop thru the files in the Keys folder and then matches the GUID taken from the 2.dat.

I've checked in the register  and the GUID  with the key I want is first  and is skipped as it doesn't match..
I've tried to use PINGUD instead of Ngc  but nothing works as they never match..
Even asked Bard and Bing for help but bard can't code for toffee and Bing is just dumb.
Learnt a bit about Python tho.
ck.desctiption and the pinguids aren't texts are they one is variable  and last is list of single char.s?
I tried just adding the guid I wanted and used in pinguids but it never matched despite matching on prinft(f  ).

output from WINHELLO2hashcat.py
--
[!] Found PIN GUID {E15FE536-86B8-49D7-B982-D662D77F412A} for user "None" in C:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc\{90AF981B-3BB7-406F-B442-C1963CA116DA}\Protectors\1.
[+] Processing key file C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\0a1e8a2c2f462e76b417d23c09cb96b2_1b1b3e72-ee7d-40b1-9274-44218838fea3
Key with GUID 9773f96f9d334d77 found.  <== I think this is the GUID for my hotmail /live user which has the PIN
Skipping key 9773f96f9d334d77 because it's not matching the targeted GUID(s).

..

[+] Processing key file C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\168e7b8f3d0218d0f63c777b0d0f42e6_1b1b3e72-ee7d-40b1-9274-44218838fea3
Key with GUID L.KES found.  <== local user
Skipping key L.KES because it's not matching the targeted GUID(s).
...

[+] Processing key file C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de2ab330c3c4b55a636d661421690fe6_1b1b3e72-ee7d-40b1-9274-44218838fea3
Key with GUID {E15FE536-86B8-49D7-B982-D662D77F412A} found.  

[++] SYSTEM MASTER_KEY - decrypted with the LSA DPAPI secret key
----------------------------------------------------------------

I've run hashcat on the Hash it returns for  {E15FE536-86B8-49D7-B982-D662D77F412A} twice and 
it only returns  a recovered if I give 7 x ?d
but then shows blank line using hashcat --show hashcat.potfile.
notepad haschcat.potfile just shows a copy of the hash?


Am I wrong in thinking it is the the first guid listed in the keys folder that is my live user which uses the PIN

is the GUID in the protector\1\2.dat always the last user signed in?  

How do I find the GUID for all users in the registry?
do the file names in the keys folder mean anything? I searched the registry and it doesn't find them.

I did a regedit search for the user Friendly name of my Live username and it matched the first entry in the Keys folder
ie.  9773f96f9d334d77_live-id
How do I hack the pin for that user or the the last/current logged in user.

I tried to match the text  9773f96f9d334d7
 if ' 9773f96f9d334d7' in penguids;
 and it never matched..
also tried 
if ' 9773f96f9d334d7' in '{penguids}';  etc..

Guessing its the ascii[0]s mess it up.

I'm more a perl guy than Python, only just started looking at python because of this script.


Is it possible to just hack them all to be sure.

Can i do the PIN hack manually using hashcat tools?

It is my PC and I'm admin.. just have some old local users and two Hotmail/live accounts.

Finally got it to work and it shows blank/nada/nothing...  frustrating  or what? :-P

[Karsten Evans]

PS.

Salting is adding a start pattern?

I'm pretty sure my PIN started using 3 digits  and its the last 3 or 4  that have gone from my memory for some daft reason.  Is there a way to get hashcat to skip the first 3 digits and just do the last 3 or 4 digits?

I've tried all sorts of variations and I think that's overwritten my instinctive memory so I now will not remember it.
Any help is appreciated.

[Banaanhangwagen]

I have difficulties to follow your explanation...
Either way, if you have the hash in your potfile, make sure to check the end of it - everything after the last ":" is the found pass