/NTLMX

Post-exploitation NTLM password hash extractor

Primary LanguagePowerShellBSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

NTLMX

PowerShell Gallery

Post-exploitation NTLM password hash extractor.

Description

Extract local NTLM user password hashes from the registry handling latest AES-128-CBC with IV obfuscation techniques introduced with Windows 10 1607 as well as the traditional MD5/RC4 approach used in Windows 7/8/8.1.

Note: Requires to be run as SYSTEM.

See ImpersonateSystem to accomplish that from within an elevated context.

Supported Target Systems

So far the script has been tested to work on:

  • Windows 10 1809 with PowerShell 5.1
  • Windows 8.1 with PowerShell 4.0
  • Windows 7 with PowerShell 2.0

Installation

Install from PowerShell Gallery

Install-Module -Name NTLMX

or

git clone https://github.com/tobiohlala/NTLMX

Usage

Import-Module NTLMX

Get-NTLMLocalPasswordHashes

Examples

Get-Help Get-NTLMLocalPasswordHashes -Examples