NTHash extraction from SAM and SYSTEM. (mounted to registry)
Extract NTHashes from Windows systems using PowerShell scripts. This script uses information from the SAM and SYSTEM registry keys to collect NTHashes used in Windows systems.
Run the ps1 file with administrator privileges.
./Get-PasswdHashes.ps1.
(USERNAME):1004:aad3b435b51404eeaad3b435b51404ee:36aa83bdcab3c9fdaf321ca42a31c3fc:::
| NThash | PlainPassword |
|---|---|
| 36aa83bdcab3c9fdaf321ca42a31c3fc | pass |
In Windows operating systems, user account information and associated password hashes are stored in the SAM (Security Account Manager) database. System configuration information is also stored in the SYSTEM registry key. To extract the NTLM hashes from these data, perform the following steps
- Use a PowerShell script to retrieve information from the SAM-database(mounted to registry) and the SYSTEM-registry.
- Extract the user name and encrypted NTHash for each user account from the SAM-database.
- Retrieve data for each system configuration information from the SYSTEM registry key. This data includes the type of hash function used on each system and the version of the NTLM hash generated by that hash function.
- The retrieved information is analyzed and the NTLM hash is extracted in composite form.
See ### SAM Decryption Flow for details.
R. Chandel, "Credential Dumping: SAM - Hacking Articles," Apr. 2020, .
This script is based on various existing projects. Thank you!
This script is for research purposes only. All activities conducted using this script must comply with legal and ethical regulations. You must also obtain the explicit permission of the system owner before using this script.
The following resources were used as references in the development of this script.