On one hand, sam dumping tools are widely used, but surprisingly not much automated. On the other hand, WINHELLO pin dumping tools barely exists. This simple and lightweight python script is made to automate the process of credentials dumping for both of these cases.
Requires the following conditions :
- To be run from a GNU/linux's terminal (
python wcreddump.py
) - pypykatz installed on system (
apt install pypykatz
) - python >=3.10 with the following libs installed : dpapick3, PyCryptodome (
pip install dpapick3 PyCryptodome
) WINHELLO2hashcat.py
in the same directory aswcreddump.py
(https://github.com/Banaanhangwagen/WINHELLO2hashcat)- A mounted drive with a windows os on it
Dumped data will be printed in terminal and saved automatically in the folder outputs
with name of the drive and current unix time if autosave
is set as True
. outputs
folder will be automatically created if inexistent.
Dumped hashes can be cracked using JTR or hashcat with -m 1000
for NTLM.s from SAM hive, and -m 28100
for pin.s from WINHELLO (https://hashcat.net/wiki/doku.php?id=example_hashes)
Tool tested on windows 10 22H2 build 19045.4170.
As said in https://github.com/Banaanhangwagen/WINHELLO2hashcat?tab=readme-ov-file#remarks, systems with a TPM won't work as they are protected.
As pypykatz automatically dumps some OS infos like LSA secrets or boot key, it is now possible to save them into a new INFOS
file by turning on the dumpInfos
boolean. Default to False
.
Provided "as is" without any warranty of any kind. Do not use for illegal purposes. Feel free to report bugs/mistakes or make suggesetions. Good luck on your crackings !