Search code examples
hashpasswordshexregeditsam

How to get password hash from SAM file using regedit

I've been trying to get the password hashes from the SAM file for a while now. I don't want to download a program that will get it for me; firstly, because I want to do it myself, and secondly, because all the ones I've downloaded have been malware.

Pretty soon I realised that I can't access SAM on registry while logged in on my account, (which is admin), so I decided to swap "utilman.exe" with a copy of "cmd.exe" and thus I can access SAM as the 'system' when logged out of my account.

I have managed to export the entirety of SAM to my desktop, both as a ".reg" file and as a ".txt" file. The problem is... I don't know where to start looking for the password hash. Interestingly enough, when opening the ".txt" version, I realised that it is different to when changing the ".reg" version to a ".txt" file. An example is shown here:

00000000 07 00 01 00 00 00 00 00 - 98 00 00 00 02 00 01 00 ................ Default text version

[HKEY_LOCAL_MACHINE\SAM\SAM] "C"=hex:07,00,01,00,00,00,00,00,98,00,00,00,02,00,01,00,01,00,14,80,78,00,00,\ Reg file changed to txt

Any help would be much appreciated. As for the intentions, I am simply trying to experiment with windows. :)...

Solution

  • enter image description here

    This helped me loads. Here, you can see the LM (Lan Manager) password hash and the NT hash. I located these in my registry and found that exactly.

    EDIT

    How to find the location of the values in the second block from the first (for automated programs). Because, the first box will always look like that (Workstations being at 0078 for example), but the second will have different values and be in different places so it works like this:

    Select first 4 bytes eg: 90 01 00 00

    Reverse them eg: 00 00 01 90 NOTE: I did not change around the values, just the byte order so 90 is still 90 and not 09)

    Decimal convert 00000190 to hex to get BE

    Hex convert BE to get 190

    Hex convert (again) 190 to get 400 ( which is now our decimal value)

    Add CC (Decimal of CC is 204) in decimal form which is 204 and 400 to make 604 (NOTE: CC has to be added to every equation you do otherwise it wont work)

    Hex to decimal 604 to get 25C. Then if you look at the second block it 0258, 0259, 025A, 025B, 025C. Then 025C (25C) is your value.