On one hand, sam dumping tools are widely used, but surprisingly not much automated. On the other hand, WINHELLO pin dumping tools barely exists. This simple and lightweight python script is made to automate the process of credentials dumping for both of these cases.
Requires the following conditions :
- To be run from a GNU/linux's terminal (
python wcreddump.py) - pypykatz installed on system (
apt install pypykatz) - python >=3.10 with the following libs installed : dpapick3, PyCryptodome (
pip install dpapick3 PyCryptodome) WINHELLO2hashcat.pyin the same directory aswcreddump.py(https://github.com/Banaanhangwagen/WINHELLO2hashcat)- A mounted drive with a windows os on it
Dumped data will be printed in terminal and saved automatically in the folder outputs with name of the drive and current unix time if autosave is set as True. outputs folder will be automatically created if inexistent.
Dumped hashes can be cracked using JTR or hashcat with -m 1000 for NTLM.s from SAM hive, and -m 28100 for pin.s from WINHELLO (https://hashcat.net/wiki/doku.php?id=example_hashes)
Tool tested on windows 10 22H2 build 19045.4170.
As said in https://github.com/Banaanhangwagen/WINHELLO2hashcat?tab=readme-ov-file#remarks, systems with a TPM won't work as they are protected.
As pypykatz automatically dumps some OS infos like LSA secrets or boot key, it is now possible to save them into a new INFOS file by turning on the dumpInfos boolean. Default to False.
Provided "as is" without any warranty of any kind. Do not use for illegal purposes. Feel free to report bugs/mistakes or make suggesetions. Good luck on your crackings !