erwan2212 / NTHASH-FPC

33 stars 8 forks source link

NTHASH-FPC

A tribute to https://github.com/gentilkiwi/mimikatz...
And generally speaking a tool to handle hashes and ciphers with a particular focus on windows secrets and lateral movement.
https://attack.mitre.org/matrices/enterprise/windows/ is definitely worth reading when about lateral movement.

I wrote a series of articles here to illustrate what can be done with nthash.

Syntax/Commands are detailed (as much as possible) here.


todo/news:
-decrypt sam hashes online (rather than patching lsass) and offline : done in v1.1
-deal with new AES cipher used in latest win10 1607 : done in 1.2
-enum Lsasrv.dll!LogonSessionList: done in 1.3
-enum Wdigest.dll!l_LogSessList: done in 1.3
-decrypt dpapi encrypted vault and/or credentials : done in 1.4
-patch LogonSessionList and perform pth: done in 1.4
-decrypt chrome and firefox passwords: done in 1.4
-decrypt firefox and chrome passwords/cookies : done in 1.5
-dpapimk command to dump all masterkeys : done in 1.6
-getlsassecret using LsaRetrievePrivateData: done in 1.6
-todo : work out LsaICryptUnprotectData thru dll injection
-work out masterkey decryption based on sha1 user password: done in 1.7
-work out credential blob decryption based on decrypted masterkey: done in 1.7
-work out offline decryption of lsasecrets as well: done in 1.7
-todo : work out credhist decryption
-use ms symbol server to retrieve offset on the fly: done in 1.8
-introduce pipe - /input will always be fed by the pipe in : done o, 1.8
-chrome 80 new encryption (aes-256-gcm) : done in 1.8