Closed erwan2212 closed 3 years ago
erwan2212
commented
3 years ago Also note that you need to run with "iseleveated:True" whenever you are going to read/write LSASS memory.
You can check this out with nthash-win64 /context and you can elevate with nthash-win64 /runas.
Papotito123
commented
3 years ago Hello: Win 10 2004 build 19041.508 x64 , TESTACCOUNT(local user account), Defender Real-Time Disabled Last time I ran /logonpaswords /symbol without internet.
Now I ran it with internet and nthash latest code(erwan2212 some extra checks around findlsakeys f66843c):
C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(18OCT2020)\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /context NTHASH 1.8 x64 by erwan2212@gmail.com Windows Version:10.0.19041-2004 Architecture:AMD64 Username:TESTACCOUNT IsAdministratorAccount:True IsElevated:True DebugPrivilege:True LSASS PID:992
C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(18OCT2020)\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /logonpasswords /symbol NTHASH 1.8 x64 by erwan2212@gmail.com
LUID:0004AC03 username:ANONYMOUS LOGON domain:NT AUTHORITY
LUID:00031CB0 username:TESTACCOUNT domain:DESKTOP-RA99DA6 ->CredentialManager:1E697C12050 -CREDENTIALW:1E6974D9430 CREDENTIALS.AuthID:00000003 ->Primary domain:. username:TESTACCOUNT ntlm:C0C2FD49FE7F00000001000100000000 sha1:00000000000000000000A8D52213DBBCD280CA94
LUID:00031C2E username:TESTACCOUNT domain:DESKTOP-RA99DA6 ->CredentialManager:1E697C12050 -CREDENTIALW:1E6974D9430 CREDENTIALS.AuthID:00000003 ->Primary domain:. username:TESTACCOUNT ntlm:C0C2FD49FE7F00000001000100000000 sha1:00000000000000000000A8D52213DBBCD280CA94
LUID:000003E5 username:LOCAL SERVICE domain:NT AUTHORITY ->CredentialManager:1E697492170 -CREDENTIALW:1E6974D9AF0
LUID:00018176 username:DWM-1 domain:Window Manager ->CredentialManager:1E69749F8B0 -CREDENTIALW:1E69748D230
LUID:00018152 username:DWM-1 domain:Window Manager ->CredentialManager:1E69749F8B0 -CREDENTIALW:1E69748D230
LUID:000003E4 username:DESKTOP-RA99DA6$ domain:WORKGROUP ->CredentialManager:1E697492C20 -CREDENTIALW:1E69748DB30
LUID:00012F8E username:UMFD-1 domain:Font Driver Host ->CredentialManager:1E69749F6D0 -CREDENTIALW:1E69748D8F0
LUID:00012F3A username:UMFD-0 domain:Font Driver Host ->CredentialManager:1E69749F950 -CREDENTIALW:1E69748D6B0
LUID:00012A8B
C:\Users\TESTACCOUNT\Downloads\NTHASH-FPC-master(18OCT2020)\NTHASH-FPC-master\NTHASH>
What is this -CREDENTIALW entry ? , is populated with a value.
erwan2212
commented
3 years ago /logonpasswords should now work fine in Win10 2004 with or without symbol.
hashes should also be displayed ok.
Papotito123
commented
3 years ago Hello: Will try later and feedback.
Papotito123
commented
3 years ago Hello: Win10 2004 /logonpasswords with or without symbol.,with or without internet: Now used nthash erwan2212 windows 2004 support f4487b1
Papotito123
commented
3 years ago Hello: Win 10 1909 x64 MicrosoftAccount user. Tested latest nthash(chrome.zip updated):
C:\Users\PROBANDO\Desktop\NTHASH-FPC-master(16NOV2020)\NTHASH-FPC-master\NTHASH>NTHASH-win64.exe /logonpasswords /symbol NTHASH 1.8 x64 by erwan2212@gmail.com
LUID:0005B411 username:PROBANDO domain:DESKTOP-2GHHNFK ->CredentialManager:004D3950 -CREDENTIALW:004CF1F0 CREDENTIALS.AuthID:00000003 ->Primary domain:MicrosoftAccount username:myemail@outlook.com ntlm:30CAB6E5FB7F00000001000000000000 sha1:00000000000000000000AB13E125EF6F7E0E6001
LUID:0005A7B6 username:PROBANDO domain:DESKTOP-2GHHNFK ->CredentialManager:004D3950 -CREDENTIALW:004CF1F0 CREDENTIALS.AuthID:00000003 ->Primary domain:MicrosoftAccount username:myemail@outlook.com ntlm:30CAB6E5FB7F00000001000000000000 sha1:00000000000000000000AB13E125EF6F7E0E6001
LUID:0003BD96 username:ANONYMOUS LOGON domain:NT AUTHORITY
LUID:000003E5 username:LOCAL SERVICE domain:NT AUTHORITY ->CredentialManager:0049B760 -CREDENTIALW:004CEFB0
LUID:00015345 username:DWM-1 domain:Window Manager ->CredentialManager:00495770 -CREDENTIALW:00472D70
LUID:00015315 username:DWM-1 domain:Window Manager ->CredentialManager:00495770 -CREDENTIALW:00472D70
LUID:000003E4 username:DESKTOP-2GHHNFK$ domain:TESTLAB ->CredentialManager:00455AF0 -CREDENTIALW:00472470 TargetName:Schannel Security Package
LUID:0000F870 username:UMFD-1 domain:Font Driver Host ->CredentialManager:004956D0 -CREDENTIALW:00473670
LUID:0000F836 username:UMFD-0 domain:Font Driver Host ->CredentialManager:00495E50 -CREDENTIALW:004726B0
LUID:0000F39E
The NTLM and SHA1 are not real ones.
According to mimi: Authentication Id : 0 ; 373777 (00000000:0005b411) Session : Interactive from 1 User Name : PROBANDO Domain : DESKTOP-2GHHNFK Logon Server : (null) Logon Time : 11/16/2020 8:59:36 PM SID : S-1-5-21-xxxxxxxxxxxxxxxxxxxxxxx msv : [00000003] Primary
So I tested in Win 10 2004H1 x64 MicrosoftAccount user: C:\Users\dinda\Desktop\NTHASH-FPC-master(16NOV2020)\NTHASH-FPC-master\NTHASH>nthash-win64 /logonpasswords /symbol NTHASH 1.8 x64 by erwan2212@gmail.com
LUID:0004B8AC username:dinda domain:DESKTOP-RA99DA6 ->CredentialManager:228772E9EB0 -CREDENTIALW:228772D6630 CREDENTIALS.AuthID:00000003 ->Primary domain:MicrosoftAccount username:myemail@outlook.com ntlm:AB1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4C sha1:0000000000000000000000000000000000000000
In this case, the NTLM is good. As you see SHA1 is full of zeroes.
Papotito123
commented
3 years ago Hello: Win 10 2004H1 x64 MicrosoftAccount user.
I don't know if is because I Enable wdigest , but now when running nthash /logonpasswords /symbol that's what I got:
LUID:0096DD0F username:dinda domain:DESKTOP-RA99DA6 ->CredentialManager:2191820EFF0 -CREDENTIALW:2191836C670 CREDENTIALS.AuthID:00000003 ->Primary domain:MicrosoftAccount username:myemail@outlook.com ntlm:Axxxxxxxxxxxxxxxxxxxxxxxxxxxx7E4C sha1:EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx437
LUID:0096DCDB username:dinda domain:DESKTOP-RA99DA6 ->CredentialManager:2191820EFF0 -CREDENTIALW:2191836C670 CREDENTIALS.AuthID:00000003 ->Primary domain:MicrosoftAccount username:myemail@outlook.com ntlm:Axxxxxxxxxxxxxxxxxxxxxxxxxxxx7E4C sha1:EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx437
Shows user sha1 and user(MicrosoftAccount account).Also mimikatz(didn't retrieved before) is showing user sha1 .
erwan2212
commented
3 years ago Latest buils has /symbol working providew debug dlls are there. Also sha1 and ntlm are correct with win 10 2004.
To start with : dbghelp.dll, symsrv.dll and symsrv.yes need to be in nthash folder. Files are provided in dbghelpX64.zip.
Also, /symbol exists for the following reason : rather than using a hardcoded memory offset, /symbol will query MS symbol servers to find a memory offset this way, nthash should be able to operate on newer windows versions.