LSADump

Description

LSADump (decrypted) LSA secrets from the registry and command dumps the Security Account Managers (SAM) database. It contains NTLM, and sometimes LM hash, of users passwords. It can work in two modes: online (with SYSTEM user or token) or offline (with SYSTEM & SAM hives or backup)

Usage

Syntax

lsa-dump.py <system hive> <security hive> <Vista/7>

Example

cyborg@cyborg:~$ sudo lsadump /media/Windows/System32/config/SYSTEM /media/Windows/System32/config/SECURITY true
NL$KM
0000   40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    @...............
0010   51 E8 4B FF 43 C8 9A 07 D7 91 E4 CE 79 43 59 05    Q.K.C.......yCY.
0020   E0 8F 4D 38 12 94 42 89 9C 0A 79 E0 C2 93 BF C9    ..M8..B...y.....
0030   94 BC FE 43 59 8C 41 FC D4 DB DC C1 D0 F3 9A 8C    ...CY.A.........
0040   EF 88 94 F6 08 68 67 A2 99 00 BE 43 69 5C 58 A9    .....hg....Ci.X.
0050   EF 73 DB DB F5 DF 0A 98 30 02 CE 60 0E 20 A0 0A    .s......0..`. ..

DPAPI_SYSTEM
0000   2C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ,...............
0010   01 00 00 00 61 63 E1 9B 61 89 17 66 72 84 47 D3    ....ac..a..fr.G.
0020   3A 57 E3 CD 16 9B 99 56 E2 F2 56 F4 93 33 93 52    :W.....V..V..3.R
0030   44 32 A6 9D 6D 53 C6 D5 5B 1C 08 1D 00 00 00 00    D2..mS..[.......

DefaultPassword
0000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0010   94 F4 D6 4D 4F F6 4C 48 80 64 0F 2E BE 7D C2 51    ...MO.LH.d...}.Q
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?