Windows 10 Online Account
#1
I'm trying to extract hashes for a Windows 10 online account. As it authenticates to Microsoft servers, the hash is not stored in the SAM file. Sign in is possible with the machine offline, so the credentials must be cached somewhere on the local machine. Anyone have any experience extracting these hashes?
#2
Your offline credentials are stored in the SAM file. It has changed encryption with the new update according to: https://twitter.com/gentilkiwi/status/76...0132384770
You will have to use Mimikatz to recover the hash.
Note: you cannot view your SAM file directly while booted up and logged in, else it will appear empty.
#3
Mimikatz take ur creds from the dump file.

but u are right @Sherlock12 , they must be stored some where
#4
I think that the hashes can still be cached and this process can somehow be compared to cached credentials within a local domain (LSA etc). I'm not an expert in this regard, but there must be some way to login to your work station even if the (local) network (domain controller etc) is down.

The credentials *could* still be cached (most probably also using the registry, just within other registry areas/keys)... the good news is that most password dump tools (including mimikatz, cachedump, creddump... etc, I'm not too sure which tool is the best one to use, maybe someone else could jump in here, but I think most of them should do the job just fine) know all these keys/locations of cached/stored passwords and therefore the user does not need to know where the hashes come from.
#5
Thanks for the replies, most helpful. I was able to pull the hash successfully with Mimikatz. Step by step as follows:

1) Download Mimikatz
2) Extract target SAM and SYSTEM hives
3) Move SAM and SYSTEM hives to Mimikatz folder
4) Run Mimikatz
5) Use the following command within the Mimikatz interface: lsadump::sam /system:SYSTEM /sam:SAM

This was my first time using this forum, big fan of the results!!
#6
(05-16-2017, 08:50 PM)Sherlock12 Wrote: I'm trying to extract hashes for a Windows 10 online account. As it authenticates to Microsoft servers, the hash is not stored in the SAM file. Sign in is possible with the machine offline, so the credentials must be cached somewhere on the local machine. Anyone have any experience extracting these hashes?

Authentication credentials for MS accounts are stored in registry (Win8) and system directory (Win10).  Strong pbkdb2 is used to protect the credentials. No point to brute. You can successfully try to brute DPAPI master key instead to figure out user's logon password without accessing SAM hashes.
#7
(05-19-2017, 06:03 PM)Sherlock12 Wrote: Thanks for the replies, most helpful. I was able to pull the hash successfully with Mimikatz. Step by step as follows:

1) Download Mimikatz
2) Extract target SAM and SYSTEM hives
3) Move SAM and SYSTEM hives to Mimikatz folder
4) Run Mimikatz
5) Use the following command within the Mimikatz interface: lsadump:Confusedam /system:SYSTEM /sam:SAM

This was my first time using this forum, big fan of the results!!

so basically what u did was to take these two files (C:\Windows\System32\config\SAM & SYSTEM)offline and use Mimikatz afterwards on a different machine ?

(05-20-2017, 03:15 PM)justme Wrote: Authentication credentials for MS accounts are stored in registry (Win8) and system directory (Win10).  Strong pbkdb2 is used to protect the credentials. No point to brute. You can successfully try to brute DPAPI master key instead to figure out user's logon password without accessing SAM hashes.

can u clarify ur self please
#8
Some useful info that I have come across on this.

Authentication credentials are stored differently in the SAM/SYSTEM files when using a 'normal' offline windows account compared to an 'online' Microsoft account. Samdump2 for example will incorrectly give you the NTLM for an empty string if a Microsoft account is being used but Mimikatz will correctly give you the right NTLM.

When a user logs into their machine using their Microsoft account, their details will be cached onto the machine which allows them to log on even if they are offline. If a user changes their Microsoft account password online on a different machine/device, even if the original machine is connected to the internet, they can proceed to log in using the old password. It is only when they log in with the new password, does the cached details get updated.