Windows 10 systems are released with latest improvements over previous Windows systems like Secure boot, Trusted boot and measured boot. Obtaining password hash from Windows earlier versions were possible by accessing SAM (LM Hash and NT Hash) file. Windows Kernel process naturally lock this file as a security measure but there were some tools like samdump and pwdump to dump password hash even though SAM is locked.
Windows 10 Systems started supporting UEFI (Universal Extended Firmware Interface) and this has improved security of Windows 10 system and introduced additional security features. Traditional tools are no more supporting for dumping SAM file after Windows 10 anniversary edition.
But still dumping Windows 10 hash is possible with different approach. Windows 10 systems are using Lsass service to authenticate. Memory dump of lsass service contains SAM dump and additional information. You can access lsass service on task manager and once located it can be dumped by just right click and dump it. It will be dumped to %temp% folder. This file is required to obtain the hash.
mimikatz is tool develop by set of developers and available in github repository, using mimikatz easily one can dump Windows 10 hash.
mimikatz download – https://github.com/gentilkiwi/mimikatz/releases
Mimikatz has plugin named “sekurlsa”; using this plugin attacker can dump the password hash.
syntax: first need to run mimikatz;
Then type;
sekurlsa::minidump <file path for dmp file – ex “C:\mimikatz\lsass.DMP”>
Once this completed;
you can check available options by just typing “help”;
Then run;
sekurlsa::logonPasswords
This will obtain password hash from the dumped file.
Add a Comment