{"id":326,"date":"2011-08-19T16:03:54","date_gmt":"2011-08-19T15:03:54","guid":{"rendered":"http:\/\/www.floyd.ch\/?p=326"},"modified":"2022-02-09T11:16:30","modified_gmt":"2022-02-09T10:16:30","slug":"extracting-windows-hashes","status":"publish","type":"post","link":"https:\/\/www.floyd.ch\/?p=326","title":{"rendered":"Extracting Windows Hashes"},"content":{"rendered":"<p>Extracting Windows hashes for password cracking is pretty basic, right? If you try to copy the SAM and SYSTEM file from C:\\WINDOWS\\system32\\config\\ on a running Windows 2003 server you get an error message, saying that it&#8217;s already in use. So before you start <a title=\"Shadowcopy to steal the sam\" href=\"http:\/\/www.dcortesi.com\/blog\/2005\/03\/22\/using-shadow-copies-to-steal-the-sam\/\">using shadowcopies<\/a> or ntbackup or any other tools, consider just copying C:\\WINDOWS\\repair\\SAM and SYSTEM. Basically the same files, altough it seems that the repair folder is not always up to date.<\/p>\n<p>Update: There is some more research going on <a href=\"https:\/\/web.archive.org\/web\/20131016053654\/http:\/\/pauldotcom.com\/2011\/11\/safely-dumping-hashes-from-liv.html\" target=\"_blank\" rel=\"noopener\">pauldotcom<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Extracting Windows hashes for password cracking is pretty basic, right? If you try to copy the SAM and SYSTEM file from C:\\WINDOWS\\system32\\config\\ on a running Windows 2003 server you get an error message, saying that it&#8217;s already in use. So &hellip; <a href=\"https:\/\/www.floyd.ch\/?p=326\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[35,36,37,38,34],"class_list":["post-326","post","type-post","status-publish","format-standard","hentry","category-various","tag-cracking","tag-hashes","tag-sam","tag-shadowcopy","tag-windows"],"_links":{"self":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/326","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=326"}],"version-history":[{"count":9,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/326\/revisions"}],"predecessor-version":[{"id":1258,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/326\/revisions\/1258"}],"wp:attachment":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}