erwan2212
commented
3 years ago Hi Papotito123,
Just giving some news. I took a break away from nthash for a few weeks. Still i can your feedback and am planning to work on it soon.
As always, many thanks for your feedback : you have greatly contributed to nthash!
Regards, Erwan
Papotito123
KrinalPatel889
Hello: My Win 2004 did some updates and now is Win 10 2004 (OS Build 19041.630) x64 Using MicrosoftAccount user account.
I ran:
NTHASH-win64.exe /dumphashes /system ==> hashes are good now
NTHASH-win64.exe /dumpsecret /input:* /system ===> only gives, DefaultPassword and DPAPI_SYSTEM options NTHASH-win64.exe /dumpsecret /input:DPAPI_SYSTEM /system ===> values are good
NTHASH-win64.exe /getlsakeys /symbol ===> values are good NTHASH-win64.exe /wdigest /symbol ===> values are good NTHASH-win64.exe /dpapimk /symbol ===> values are good NTHASH-win64.exe /logonpasswords /symbol ==> SHA1/NTLM hashes are good now
NTHASH-win64.exe /dumpsecret /input:DefaultPassword NTHASH 1.8 x64 by erwan2212@gmail.com Impersonate:SYSTEM CurrVal secret:000000000000000000000000000000007DxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxCE5 secret: xxxxxxxxxxxxxxxx >> gives some maybe encrypted chars but in same length of password size OldVal secret:5F005400420041004C005F007B00360038004500440044004300460035002D0030004100450042002D0034004300320038002D0041003700370030002D004100460035003300300032004500430041003300430039007D00 secret: T B A L { 6 8 E D D C F 5 - 0 A E B - 4 C 2 8 - A 7 7 0 - A F 5 3 0 2 E C A 3 C 9 }
Notice in CurrVal secret there's some zeroes at start and then has some hex.Its like being splitted.And .to me, seems that in some way is catching "part of the MicrosoftAccount encrypted user pasword". This T B A L { 6 8 E D D C F 5 - 0 A E B - 4 C 2 8 - A 7 7 0 - A F 5 3 0 2 E C A 3 C 9 } is the pasword being catched in mimi , lazagne.
I can confirm that , 5F005400420041004C005F007B00360038004500440044004300460035002D0030004100450042002D0034004300320038002D0041003700370030002D004100460035003300300032004500430041003300430039007D00 , in ASCII is, T B A L { 6 8 E D D C F 5 - 0 A E B - 4 C 2 8 - A 7 7 0 - A F 5 3 0 2 E C A 3 C 9 }
So in the CurrVal secret hexadecimal 000000 ...... is converted to the second secret: xxxxxxxxxxxxxxxx So in theory , at least for me,this can be the "encrypted MicrosoftAccount password" that is hash/text different that the MicrosoftAccount user password string. Indeed , the 7DxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxCE5 part, by itself is converted to secret encrypted. So this zeroes acts as some padding or something like.,without making changes to the secret value.Of course ,this is the behaviour in this case. So ,if the hexa is complete and not truncated/padded with 32 zeroes at start , maybe we can see the "MAuser encrypted password" encrypted.
I hope you can understand what I'm trying to say.