Unable to obtain password hashes
GoogleCodeExporter opened this issue · comments
Google Code Exporter commented
What steps will reproduce the problem?
1. Grab memory image using DumpIt (Windows7 SP1 x64 - RAM: 2GB raw file)
2. imageinfo on raw image to get OS information
3. hivelist on raw image with profile Win7Sp1x64 to get SYSTEM and SAM Virtual
addresses
4. hashdump on raw image with profile Win7Sp1x64 to get password hashes.
What is the expected output? What do you see instead?
Expecting password hashes but hashdump results in empty file.
imageinfo
=========
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (C:\.....\TARGET.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80003e3a0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80003e3bd00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2014-08-06 22:11:24 UTC+0000
Image local date and time : 2014-08-06 23:11:24 +0100
hivelist
========
Virtual Physical Name
------------------ ------------------ ----
0xfffff8a001c45010 0x0000000036813010 \??\C:\Users\...
Fu\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a001c4e010 0x000000005624c010 \??\C:\Users.. .\ntuser.dat
0xfffff8a002011010 0x000000003e129010 \??\C:\System Volume
Information\Syscache.hve
0xfffff8a006986410 0x00000000144d8410 \SystemRoot\System32\Config\DEFAULT
0xfffff8a00000d410 0x000000001c6bb410 [no name]
0xfffff8a000023010 0x000000001c5a9010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000052010 0x000000001c558010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000663010 0x000000001a9aa010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a0007f1010 0x0000000014b87010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000b7e010 0x00000000113b7010 \SystemRoot\System32\Config\SECURITY
0xfffff8a000be8010 0x000000000a708010 \SystemRoot\System32\Config\SAM
0xfffff8a000cde010 0x0000000007c17010
\??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a000dff1d0 0x00000000113671d0
\??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
hashdump
========
C:\Users\...... >volatility-2.3.standalone.exe hashdump -f TARGET.raw
--profile=Win7SP1x64 -y 0xfffff8a000023010 -s 0xfffff8a000be8010 > hashdump.txt
Result is an empty hashdump.txt !
What version of the product are you using? On what operating system?
I used volatility-2.3.standalone.exe on a Windows7 Home Premium 64bit SP1 4GB
RAM
Please provide any additional information below.
(a) Do the Virtual and Physical addresses above seem ok?
(b) I do not know what I am doing wrong to not get the password hashes - please
help :-)
Original issue reported on code.google.com by Kateson...@gmail.com
on 8 Aug 2014 at 3:58
Google Code Exporter commented
The Virtual and Physical addresses look OK.
I would recommend trying Volatility 2.4 from
https://github.com/volatilityfoundation/volatility.
Also, this issue tracker is no longer used. Please log future issues here:
https://github.com/volatilityfoundation/volatility/issues
Original comment by michael.hale@gmail.com
on 18 Sep 2014 at 4:55
- Changed state: Invalid