It’s not uncommon to be asked whether a user had a login password or to need it to login to a virtualised copy of a suspects computer. In the case of the later, you can usually just clear the password and proceed, but sometimes knowing the password may be important.
I played with a few tools that I had on hand to get a local user’s NTLM hash during Dave and Matt’s DFIR CTF at DEF CON and documented my findings (and finally got around to finishing this up)
As of Win10 Anniversary Update, Microsoft moved the location of the user password hashes in the registry. What this means for us in DF is that if our tools haven’t been updated since mid-2016 then they will give us an empty NTLM string (well, whatever stands for empty), which is incorrect.
I pulled out the SAM/SYSTEM hives from one of the Win10 images and loaded them up into Ophcrack 3.8.0, which I used to use to get me the NTLM hash to lookup online (because looking it up in a table is much quicker than cracking) and occasionally use it to crack it too.
Unfortunately, Ophcrack hasn’t been updated to check the right location for Win10.
I then took a look at Magnet AXIOM which I had on hand, and this too provided the empty hash (I’ve been informed that they’re aware of the issue and will be fixing it in an upcoming release).
Enter Mimikatz! Well, eventually…Chrome and AV flag it as malicious for some reason…
Mimikatz has the option to load up a local SYSTEM and SAM hive and then will output the NTLM hashes!
>> Mimikatz # lsadump::sam /system:J:\windows\system32\config\system /sam:J:\windows\system32\config\sam
And we can see the NTLM hash is there for the mpowers user.
Something on the to-do list is to see whether mimikatz can extract the cached credentials if the user has logged in using their Microsoft Online account. I think I’ve done it before, but I can’t remember how.
Just something to be aware of; our tools can lie to us if they haven’t been updated to support the operating systems and apps that we’re investigating.