NTLMv1/2 Hash Dumper

Windows NTLM hash dump utility written in C language, that supports Windows and Linux.

Hash dumper has got 2 modes:

• Realtime mode (only for windows);
• Extraction mode (dumps from saved SAM and SYSTEM hives files);

Table of content

• Responsibility
• Building the project
• Manual

Responsibility

The author is not responsible for the actions of third parties committed while using the provided software. This software is regarded as a tool for legal penetration testing or conducting research. In case of misuse, the author does not bear any responsibility for the actions of third parties.

Building the project

For building required OpenSSL >= 3.0 or OpenSSL 1.1.1 library. Use cmake to generate a solution for Visual Studio or Make file. If CMake cannot find OpenSSL, than set OPENSSL_ROOT_DIR and OPENSSL_LIB_DIR variables.

If OpenSSL >= 3.0 was chosen, than legacy provider have to be compiled for RC4 and DES

• Compiling OpenSSL for Windows
• Running CMake with OpenSSL
• How to enable legacy provider?

Basic setup

Cloning repository

$ git clone https://github.com/Retr0-code/hash-dumper
$ git submodule update --init

---

If You work alone

$ git branch dev_<username>
$ git checkout dev_<username>
$ git push -u origin dev_<username>

OR

If You work in a small team

$ git checkout dev_<team_tag>
$ git pull

Building using cmake

Use BUILD_ARCH parameter to specify architecture of output binary

Architectures:

• amd64 (default);
• i386;

Use BUILD_TARGET parameter to specify compiling configuration

Configurations:

• RELEASE (default);
• DEBUG;

Manual

You can use this utility to dump NTLMv1/2 hashes from already compromised host by using --realtime flag

> ./hash_dumper.exe --realtime
[+] Hives successfully opened
[+] Successfully dumped bootkey: 2766FA60DBAB4DEE67237AC942E35271
[+] Successfully hashed the bootkey: 966408e98667069a4884956c5e397575

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9cf3445f9555a4c246fe2c3c2446b103:::
sandbox:1002:aad3b435b51404eeaad3b435b51404ee:67b6acadb87c12e9d84e6e73b6883601:::

[+] Successfully finished

Otherwise You can extract hashes from already saved hives using parameters --sam <path_to_sam_hive> and --system <path_to_system_hive>

> ./hash_dumper.exe --sam hives/sam --system hives/system
[+] Hives successfully opened
[+] Successfully dumped bootkey: 2766FA60DBAB4DEE67237AC942E35271
[+] Successfully hashed the bootkey: 966408e98667069a4884956c5e397575

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9cf3445f9555a4c246fe2c3c2446b103:::
sandbox:1002:aad3b435b51404eeaad3b435b51404ee:67b6acadb87c12e9d84e6e73b6883601:::

[+] Successfully finished

If You supply all parameters only --realtime will work.