<< Click to Display Table of Contents >> Navigation: System and Data Recovery Programs > Proactive Password Auditor > How to work with the program > Obtaining password hashes |
PPA supports several different methods of obtaining password hashes, as described below.
There are several third-tools that can generate dump files with password hashes, e.g. pwdump, pwdump2, pwdump3 and samdump. The files generated by these tools have the following format:
user_name:user_id:LM_hash: ntlm_hash:comment:user_home_directory:
PPA can take these file types as input.
On all systems that don't use Active Directory, password hashes are stored in the system Registry, and the program can extract them from the Registry, even if they are encrypted using SYSKEY.
The program can extract password hashes directly from Registry files: SAM and SYSTEM. You will have to select those two files (or just the SAM file, if the file comes from an old NT system that does not use SYSKEY protection: check the Don't use SYSKEY option in that case). If SYSKEY has been generated from a startup password or stored on an external media, you will have to supply that password or external media, respectively. Please note that with this feature, you cannot dump from SAM and SYSTEM files that are currently in use (located in the WINDOWS\SYSTEM32\config folder), because they're locked by the operating system. You can, however, make copies of these files by booting into an alternative operating system such as another Windows installation or; another way is to attach the hard disk where these files are located as a secondary drive to another Windows workstation.
If you have administrator rights on the machine you run PPA on, you can dump password hashes from its memory. This method works regardless of the SYSKEY mode, and gives hashes for all users, including Active Directory users.
This method is similar to the previous one, but allows you to dump hashes from any remote computer in your LAN: server or workstation, with or without Active Directory. Press the Browse button and select the computer(s) you want to obtain hashes from. Once password hashes are obtained, PPA shows the following information:
•User name
•Computer
•User ID
•Hash type (LM or LM+NTLM)
•LM hash
•NT hash
•Password
•Audit time
•Status (disabled or locked)
•Description
Right-click on any column header to enable/disable visualization for any of those fields in the program interface.
Please note that in order to obtain password hashes from any remote computer, PPA should have administrator privileges there. First, it tries to log on with current credentials (the ones the program was started with) first, then with the stored credentials (if there is an appropriate record there), and if it still fails, it prompts for user name and password. If the given computer is a domain controller, you should supply the domain administrator credentials (see Requirements section for more details).
When you dump or open password hashes using any of the methods described above, PPA runs (by default) a fast preliminary attack that takes several seconds to complete, but may recover short and simple passwords automatically. Look at Preliminary attack options for details.
Prior to the attack, when no passwords have been recovered yet, the passwords are shown either as <empty> (if no password for the given account is set) or as <unknown>. After the preliminary attack, some <unknown> passwords might be recovered and displayed.
Select the user accounts you want to audit, select the attack method and start the attack itself. You will not be able to check the following accounts:
•Accounts that have empty passwords
•Accounts that are above the limit of the trial version, or according to the license you have purchased (these accounts are grayed out)
An appropriate message will be printed into the log window (and log file), respectively:
•Password of user "Guest" is empty, recovery for this user is disabled
•Recovery for this user is disabled (number of user 101)