Obtaining password hashes Elcomsoft.com » Password Recovery Software » Proactive Password Auditor » Help

Obtaining password hashes


Previous  Top  Next

PPA supports a few different methods of obtaining password hashes for further attack/audit, as described below.


DUMP file


There are a few 3rd party tools that can generate dump files with password hashes, e.g. pwdump, pwdump2, pwdump3 and samdump. The files generated by these tools have the following format:


user_name:user_id:LM_hash: ntlm_hash:comment:user_home_directory:


The PPA program can open files of this type and read password hashes from them.


Registry of local computer


On all systems that don't use Active Directory, password hashes are stored in the system Registry, and the program can extract them from the Registry, even if they are encrypted using SYSKEY.


Registry files (SAM, SYSTEM)


The program can extract password hashes directly from Registry files: SAM and SYSTEM. You will have to select those two files (or just the SAM file, if the file comes from an old NT system that does not use SYSKEY protection: check the Don't use SYSKEY option in that case). If SYSKEY has been generated from a startup password or stored on a floppy disk, you will have to supply that password or floppy, respectively. Please note that with this feature, you cannot dump from SAM and SYSTEM files that are currently in use (located in WINDOWS\SYSTEM32\config folder), because they're locked by the operating system. You can, however, make copies of these files by booting an alternative operating system such as another Windows installation, or even DOS (though an NTFS driver might be required, such as NTFS Reader for DOS  or NTFSDOS); another way is to attach the hard disk (where these files are located) as a secondary drive to another Windows workstation.


Memory of local computer


If you have administrator rights on the machine you run PPA on, you can dump password hashes from its memory. This method works regardless of the SYSKEY mode, and gives hashes for all users, including Active Directory users.


Memory of remote computer


This method is similar to the previous one, but allows you to dump hashes from any remote computer in your LAN – server or workstation, with or without Active Directory. Press the Browse button and select the computer(s) you want to get hashes from. Once password hashes are obtained, PPA shows the following information:

User name
User ID
Hash type (LM or LM+NTLM)
LM hash
NT hash
Audit time
Status (disabled or locked)


Right-click on any column header to enable/disable visualization for any of those fields in the program interface.


Please note that in order to obtain password hashes from any remote computer, PPA should have administrator privileges there. First, it tries to log on with current credentials (the ones the program was started with) first, then with the stored credentials (if there is an appropriate record there), and if it still fails, it prompts for user name and password. If the given computer is a domain controller, you should supply the domain administrator credentials (see Requirements section for more details).


When you dump or open password hashes using any of the methods described above, PPA runs (by default) a fast "preliminary" attack that takes just a few seconds (or a few minutes on slow machines), but recovers many short and simple passwords automatically. Look at Preliminary attack options for details.


Prior to the attack, when no passwords have been recovered yet, passwords are shown either as <empty>  (if no password for the given account is set) or as <unknown>. After the preliminary attack mentioned above, some <unknown> passwords might be recovered and shown.


Now you have to select (check) the user accounts you want to audit, select the attack method and start the attack itself. You will not be able to check the following accounts, though:


ones that have empty passwords
ones that are above the limit of the trial version, or according to the license you have purchased (these accounts are also grayed out)


An appropriate message will be printed into the log window (and log file), respectively:


Password of user "Guest" is empty, recovery for this user is disabled
Recovery for this user is disabled (number of user 101)

Get more information about Proactive Password Auditor
Get full version of Proactive Password Auditor

(c) 2009 ElcomSoft Co.Ltd.