Password Hashes

Inspired by the CQURE 5 day challenge I’ve decided to document some of the things that I’ve learned from the daily assesments. 🙂

Table of Content

If you login to your windows machine, the password you’ve typed in will be compared with the information that is stored in the SAM database. Here it’s important to know that windows does not store any password information in cleartext.  Within that databse only the Hash value is stored. Hashes are results of one way calculation.





That means hashing is a form of cryptographic security which differs from encryption. Where encryption is a two step process used to first encrypt and then decrypt a message, hashing condenses a message into an irreversible fixed-length value, or hash. Two of the most common hashing algorithms seen in networking are MD5 and SHA-1. Just as a side note, Windows uses MD4 NTLM Hashes.





Let’s use the tool CQHashcalc.exe to generate a sample hash for a user

CQHashcalc.exe "Password" "user"

username: user / Password: P@ssw0rd

MD4(NTHash): E19CCF75EE54E06B06A5907AF13CEF42
SHA1: 9131834CF4378828626B1BECCAA5DEA2C46F9B63
MSDCC2: 8D655A0CD9094CF8CFA3BF191E732199

Now we change the Passwort to P@sSw0rd and notice that we get another MD4 Hash value.

MD4(NTHash): 6CEB26D5BF9354C62EACF0784247C926
SHA1: 8696B6F261A647C1073E8808B9251F795CB2CF4F
MSDCC2: 6C966092BFC1005E2E474C6A7E2066EE

Hashes are not revertable on a mathematical way, but can be cracked by using Rainbowtables (set of precalculated hashes), Online Crackingdatabases or tools like Hashcat.

In this article the focus is about how to get/steal the hashes of a windows System. To have a closer look how to crack them can be something for another article.

Let’s continue with a tool called CQHasdumpv2.exe. With help of that tool we’re able to dump the hashes live if it’s run as a systemaccount.  We’ve allready discussed in the previous topic how to get a cmd running as localsystem.

psexec -s -i -d cmd.exe

CQHashdumpv2.exe --samdump

Note that the MD4 NTLM Hash is cencored in the pic above. If we have a copy of the SAM and SYSTEM file, we can also do a offline dump. The SYSTEM File is needed to decrypt the SAM File.

CQHashdumpv2.exe --samdump --sam=SAM --system=SYSTEM

I’m curious and use Crackstation to see if I get a match from the extracted hashes. 🙂

But what’s about when we have to deal with Active Directory? On a Windows Domain Controller Passwords are not stored in a SAM Database. Here we have to do a closer look on a file named NTDS.DIT. Like the SAM Database it’s also protected by the system, but we can use the same technique that was explained in the previous topic. Create a VolumeShadowCopy or use an existing one and then create a Symlink to the VolumeShadowCopy and copy the files away 😉

Note NTDS.DIT is located under C:\Windows\NTDS\NTDS.dit and the Systemfile is to find in C:\Windows\System32\config\SYSTEM














Sadly no NTDS.Dit file was provided for this lab, but it took me only a short while to find one from someone else. Thankyou Didier Stevens for providing this file 🙂

(Think that’s from a Windows 2003 Domaincontroller)

Download and the Extraction/Dumping Tools for the further exercise.

First I run the tool esedbexport.exe against the NTDS.dit file to extract the tables

esedbexport.exe ntds.dit

Important for us are the datatable and the link_table which we need for further extractions.

python ..\ntds.dit.export\datatable.3 ..\ntds.dit.export\linktable.4 --passwordhashes ..\system >..\hashes.txt

For some reasons it failed by the second step „Extracting schema information“ – 100% -> 0 records processed 🙁

After searching for an alternative I came accross another toolkit called Impacket

It’s very easy to install by setting the command pip install impacket in the extracted directory.

In the folder examples we find a pythonscrypt called which we can run against the ntds.dit and System file the extract the hashes.

python -ntds ..\ntds.dit -system ..\system local just-dc-ntlm

Bingo! We’re done 🙂

Some repeating questions:

Which algorithm is used for calculating hashes of passwords in windows?

How are password hashes protected in the SAM database?
Hashes are encrypted with the key stored in SYSTEM Registry Hive

What are the „rainbow tables“?
It’s a set of precalculated hashes for most popular passwords

Whre’s the SAM database stored on the disk?

How is the password hash usually displayed?
32 hex digits (0-F)


Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.