Return to Red Team Tools, Red Team or Password cracking

• Definition: pwdump is a tool used to extract password hashes from the Security Accounts Manager (SAM) database on Windows systems. It is commonly used for security auditing and forensic analysis.
• Function: Retrieves and displays password hashes, including LM (LAN Manager) and NTLM (NT LAN Manager) hashes, from the SAM database, which can then be analyzed or used in password recovery tools.
• Components:

   * '''pwdump Utility''': The executable tool that performs the extraction of password hashes.
   * '''SAM Database''': The database file from which pwdump extracts the hashes.
   * '''SYSTEM Hive''': A file that pwdump uses to decrypt the SAM database.

• Features:

   * '''Hash Extraction''': Extracts both LM and NTLM password hashes.
   * '''Offline and Live Extraction''': Can perform extraction on a live system or from offline registry files.
   * '''Compatibility''': Supports various versions of Windows, including older and newer releases.

• Usage: Used by security professionals and forensic analysts to audit password security and recover passwords for investigative purposes.

• Extracting password hashes from a live system:

   ```cmd
   pwdump > hashes.txt
   ```
   This command runs pwdump and redirects the output to a file named `hashes.txt`.

• Extracting password hashes from offline SAM and SYSTEM files:

   ```cmd
   pwdump SAM SYSTEM > hashes.txt
   ```
   This command uses the SAM and SYSTEM files provided and redirects the output to `hashes.txt`.

• Sample output of pwdump:

   ```plaintext
   Administrator:500:8846f7eaee8fb117ad06bdd830b7586c:31d6cfe0d16ae931b73c59d7e0c089c0:::
   Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
   john:1001:b4b9b02e6f09a9bd760f388b67351e2b:efe8492c8a6a78a2d950f295d4d1e4c8:::
   ```
   * **Administrator:500**: The username and User ID (UID).
   * **8846f7eaee8fb117ad06bdd830b7586c**: The LM hash (if available).
   * **31d6cfe0d16ae931b73c59d7e0c089c0**: The NTLM hash.

• pwdump: A tool for extracting LM and NTLM password hashes from the SAM database on Windows systems, used for security auditing and forensic analysis. It supports both live and offline extraction, making it versatile for various security and investigative tasks.