About Windows passwords, hashes and registry

Here is a great set of articles about Windows passwords schemes by 

Syskey and the Sam:

Decrypting LSA Secrets:

Cached Domain Credentials:

Besides the articles, Brendan create a set of tools to use with Volativility that will allow to extract those password from a memory dump:

  • hashdump: dump the LanMan and NT hashes from the registry (deobfuscated). 
  • lsadump: dump the LSA secrets (decrypted) from the registry. 
  • cachedump: dump any cached domain password hashes from the registry. This will obviously only work if the memory image comes from a machine that was part of a domain. 

2 comentarios:

moyix said...

Hi, just wanted to clear up one thing: I didn't create Volatility, AAron Walters did. I currently help develop the code with him, however.

Thanks for the link!

Christian Martorella said...

Thanks moyix, i corrected the post.
By the way great article :)