___ \ | | _____ \ _ \ __ / / \ \ | | \ \ _ | |/ / / / | /\ \/ \/ / | | \ | | \ / \ _ \ / \/. | | / / _| | \/| < _ \ | | \ / | ` | | /| Y Y | |_> > ___\ _/|/ ( /|| || \/ > || \/\/ /_ /|/ |_|| /| / __> \/ \/ \/ \/ \/ |__| v0.2b -<(QuarksLab)>-
Quarks PwDump is a native Win32 tool to extract credentials from Windows operating systems.
It currently extracts :
Supported OS : XP/2003/Vista/7/2008/8
Why another hash dumper?
We would like to greet NTDS hash dump (Csaba Barta) and creddump author for their excellent work.
Also it is still in beta test.
Here it is how you can use Quarks PWDump:
quarks-pwdump.exe
Dump options must be user all at once. In all cases, the tool must be executed on the targeted operating system.
Do not forget to always put NTDS.dit filepath at the end of the command line for involved options.
Some command examples:
Dump local account hashes to LC format
Dump domain hashes from NTDS.dit with its history
All features require administrator privileges.
Bitlocker and domain accounts information are extracted offline from NTDS.dit (see next section for NTDS file recovery) Everything must be done on domain controller. No code injection or service installation. It's not currently full offline dump cause Quarks PwDump is dynamically linked with ESENT.dll which differs between Windows version. For example, it's not possible to parse Win 2008 ntds.dit file from XP.
For Bitlocker case, Quarks PwDump can retrieve these information :
Recovery password: it's a 48-digits passphrase which allow a user to mount its partition if password has been lost. This password can be user in Bitlocker recovery console.
Key Package : it's a binary keyfile which allow an user to decipher data on a damaged disk or partition. It can be used with Microsoft tools, especially Bitlocker Repair Tool.
For each entry found in NTDS.dit, Quarks PwDump show recovery password to STDOUT and keyfiles (key packages) are stored to separate files for each recovery GUID. {GUID_1}.pk, {GUID_2}.pk,...
Local account and cached information are extracted live from SAM and SECURITY hive in a proper way without code injection/service. In fact, we use native registry API, especially RegSaveKey() and RegLoadKey() function which require BACKUP and RESTORE privileges. Next we mount SAM/REGISTRY hives on a diffrent mount point and change all keys ACL in order to extend privileges to Administrator group and not LocalSystem only. That's why we choose to work on a backup to preserve system integrity.
Microsoft recently implements VSS (Volume Shadow Copy Service) which allow an administrator to make filesystem snapshots while the operating is running and writing to current backuped files.
Here is a way to backup NTDS.dit file while a domain controller is running:
If AD server hasn't the "AD DS role", you have to use dsdbutil.exe command in the same way.
On this version, VSS has been implemented but not NTDS-type snapshots. But you can use ntbackup tool, here is the procedure:
ntds.dit file can now be used with quarkspwdump.
contact@quarkslab.com