samdump2 NTLM hash
#1
Hi,

I was trying to extract Windows 10 hash from SYSTEM and SAM using Samdump2 but for some reason I'm not able to recover the known password. 

I didn't use The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Live during boot, I basically ran cmd in admin mode.
Code:
reg save hklm\sam c:\ sam
Code:
reg save hklm\system c:\system
Transferred both files to shared The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux folder for VM (/media/shared)

In The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) 
Code:
samdump2 -o winhash /media/shared/system /media/shared/sam
Transferred winhash back to windows hashcat folder

On Hashcat
Code:
hashcat64 -m 1000 winhash -a 3 ?a?a?a?a?a?a?a?a

But no luck. 
When I tried an NTLM generator online, the hash was different from winhash too... 

Appreciate the help. Thanks
Reply
#2
This is not a hashcat issue.
You will have to figure out why you won't get the hash you'd expect.
Try using different tools to dump the hashes from SAM.

Some older versions of different tools also sometimes gave corrupt hashes when dumping.
Samdump2 1.0.1 had this issue. Also some other versions of FGDump, Cain etc.

(google "stamp out hash corruption" from BlackHat 2012)


// BBN
Reply