home.social
Sign in Create account

#dumphash — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #dumphash, aggregated by home.social.

  1. hasamba @[email protected] ·

    ----------------

    🛠️ Tool
    ===================

    Opening: This repository documents a practicable method for extracting Windows account hashes by combining built-in registry export, a local reduction step, BootKey extraction and secretsdump. The author provides source artifacts including RegReduction.ps1, BootKey.c and a compiled BootKey.exe, plus guidance on exporting the three core hives (SAM, SYSTEM, SECURITY) from a target machine.

    Key Features:
    • Exposes a flow that leverages the system binary reg.exe to export registry hives at scale.
    • Supplies a PowerShell-based reduction tool (RegReduction.ps1) to reconstruct binary hive files from exported .reg artifacts.
    • Includes BootKey.c and BootKey.exe to extract the system BootKey without requiring administrative privileges in the tested environments.
    • Demonstrates final credential extraction using secretsdump against the reconstructed hives.

    Technical Implementation:
    • The workflow relies on exporting HKLM\SAM, HKLM\SYSTEM and HKLM\SECURITY via the system registry export facility, then reconstructing the binary hive representation locally with RegReduction.ps1.
    • BootKey extraction is implemented in a C utility (BootKey.c) provided in the repo; the binary derived BootKey is consumed by offline tools capable of decrypting LSA secrets and NT hashes.
    • The final extraction step uses secretsdump-style logic to parse the SAM/SECURITY blobs with the BootKey to recover account NTLM credentials.

    Use Cases:
    • Red team operations seeking post-exploitation credential harvesting where standard EDR detection blocks direct memory dumping.
    • Forensic practitioners needing an offline method to reconstruct registry hive artifacts from exported textual dumps for analysis.
    • Research into living-off-the-land (LotL) techniques that abuse trusted system utilities to evade behavioral detections.

    Limitations:
    • The method depends on the ability to export registry hives from the target; test notes indicate reg.exe export may require SYSTEM privileges on some Windows versions (notably Win10/Win11 and Windows Server 2025), while older servers may allow export with administrator rights.
    • The BootKey extraction utility was observed by the author to run without elevated rights in tests; detection coverage by endpoint products varied and a VirusTotal snapshot was referenced by the author as part of testing.
    • The repo author later acknowledged similar prior public research touching on LSA/Task decorrelation techniques.

    Final note: The release is presented as a GitHub tool with source artifacts and practical testing notes; the repo documents concrete filenames and steps for reconstruction and extraction rather than providing high-level theory. #tool #EDR #DumpHash #SAM #secretsdump

    🔗 Source: github.com/AabyssZG/HashDump-B

    #secretsdump #sam #dumphash #edr #tool