search

erwan2212 / NTHASH-FPC

33 stars 8 forks source link

/offline option #9

Closed Papotito123 closed 4 years ago

Papotito123 commented 4 years ago

Hello: Win 10 1809 x64 local user account .

Hello again.

For using /offline option I tested some switched but just 2 or 3 works as expected.

Would you post some info about which switches and how works for /offline ?

For example; 1.how to get for /offline users SID 2.what to do with the pid_number.dmp created with /dumpproc which should carries the user mkeys/sha1 and other info

  1. /dumpsecret /input:* for offline only gives the /input:dpapi_system option whici doesn't give the lsasecrets Q&A

In other comments: /enumcred | /enumcred2 : doesn't works

/logonpasswords /symbol : retrieved ntlm / sha1 hashes are not real ones.

Thanks in advanced

erwan2212 commented 4 years ago

Offline means it will use an offline hive : system.sav and/or security.sav and/or software.sav.

"_what to do with the pidnumber.dmp created with /dumpproc" : nthash will decrypt this in a future version - for now, I recommend mimikatz offline.

Working offline commands : nthash /getsids /offline NTHASH /dumphashes [/offline] NTHASH /dumphash /rid:500 [/offline] NTHASH /getsyskey [/offline] NTHASH /getsamkey [/offline] NTHASH /dumpsecret /input:* [/offline] ----------> will list all secrets NTHASH /dumpsecret /input:a_secret [/offline] ----------> will decrypt a secret which you can find from above command

Papotito123 commented 4 years ago

Hello: About /dumpproc , I thought there's something more than mimi or other.

Thanks for /offline syntaxes. I tried /getsids /offline and can't get it.Thats why I asked before.I'll try later..

Thanks

erwan2212 commented 4 years ago

About /getsids [/offline] : this is brand new in latest version. I made it just for you ;)

Dumpproc is there for now only to generate a dump file which can be used by other softwares offline.

erwan2212 commented 4 years ago

Although not in the right thread (this one is about the /offline paramater) :

About "/logonpasswords /symbol : retrieved ntlm / sha1 hashes are not real ones.". I suspect that this is not about /symbol but about your 1809 windows 10 version. Try again with latest nthash version : it should/might be OK now. If yes, I need to check with latest windows 10 20xx versions then.

Eventually open a new issue/thread if problematic so that we can also improve this /logonpasswords command.

Papotito123 commented 4 years ago

Hello: I did some tests /logonpasswords /symbol:

Papotito123_logonpasswords-symbol.txt

Also did Win 2004H1 test Win 10 2004 build 19041.508 x64 , TESTACCOUNT(local user account) Regarding /logonpasswords /symbol,I did test while logged in TESTACCOUNT(local user account):

C:\Users\TESTACCOUNT\Desktop\NTHASH>NTHASH-win64.exe /logonpasswords /symbol /verbose NTHASH 1.8 x64 by erwan2212@gmail.com findlsakeys findlsakeys_sym Error with SymFromName : 0 findlsakeys failed

Papotito123 commented 4 years ago

Hello: I confirm that mimi,lazagne,PasswordHashesView(nirsoft) can grab user NTLM/SHA1 in Win 2004H1 x64.

erwan2212 commented 4 years ago

I have created a new issue for the /symbol not working on latest win 10 here

Papotito123 commented 4 years ago

Hello: Ok. I will direct any info ,issue regarding /symbol in Windows 2004H1 to the new issue.

Papotito123 commented 4 years ago

Hello: Tested win 10 1809 x64 all user accounts with /logonpasswords /symbol. I see that need to be run /logonpasswords /symbol to get it works.Could be run with or without internet. Now I see all hashes good.

Papotito123_logonpasswortds-symbol(erwan f66843c).txt

Thanks.

erwan2212 commented 4 years ago

/offline functions reviewed.

/logonpasswords fixed for win 10 2004.

/symbol needs internet, at least the first time, to retrieve pdb symbol files from ms repository.