I have one server and multiple client computers each running Windows 8, for each user there is a roaming user profile to access there profile from every client computer. It is also possible to login in an account even when there is no connection between server and client, but only if that account was used on that computer in the past,therefore I think the account is saved on the computer during login. Now I would like to test the passwords of the users using hashcat, the problem I have is, that in the SAM file there is only the admin-password hash and not the hashes of the other users passwords.
I have done lots of research but there is absolutely nothing about password-file location for roaming user profiles on the net and I am sure that they must be on the client-computer.
It is not possible to read data on the server because it is running 24h/24h. I have the possibility to read all the data of the client computer because I use another OS for that purpose.
Just ask if you need extra information or something is unclear.
Any help would be greatly appreciated.
As mentioned in this article on ServerFault you can run the command vaultcmd /list from command prompt to list the credentials stored in the Windows Credential Manager, it also gives a location where the information is stored
The article also mentions a few places to look:
Hope this helps :)