pwdump
Extract Windows password hashes for auditing
TLDR
Dump Windows password hashes
$ pwdump [system] [sam]
Dump from local SAMcopy
$ pwdump localhost
Output to filecopy
$ pwdump [target] > [hashes.txt]
With specific usercopy
$ pwdump [target] -u [administrator] -p [password]
copy
SYNOPSIS
pwdump [options] target
DESCRIPTION
pwdump extracts Windows password hashes from the SAM database. These hashes can then be cracked offline. Used for security auditing and penetration testing.Several versions exist (pwdump7, fgdump, etc.) with varying capabilities.
EXAMPLES
$ # Dump local hashes
pwdump localhost
# Remote system (admin required)
pwdump \\\192円.168.1.100
# Save for cracking
pwdump localhost > hashes.txt
# Then crack with John
john --format=NT hashes.txt
pwdump localhost
# Remote system (admin required)
pwdump \\\192円.168.1.100
# Save for cracking
pwdump localhost > hashes.txt
# Then crack with John
john --format=NT hashes.txt
copy
OUTPUT FORMAT
$ Username:RID:LM_Hash:NT_Hash:::
copy
HASH TYPES
$ LM Hash - Legacy, weak (pre-Vista)
NT Hash - NTLM hash (current)
NT Hash - NTLM hash (current)
copy
CAVEATS
Requires administrator privileges. Windows-specific. Use only on systems you own or have authorization to test. May be detected by antivirus.
HISTORY
pwdump was developed for Windows password auditing. Multiple versions (pwdump2-7, fgdump) have been created by various security researchers.