nishang icon indicating copy to clipboard operation
nishang copied to clipboard

Published 20 hours ago verified publisher icon samratashok

Get-PassHashes not working on Windows 10

Open cfalta opened this issue 7 years ago • 2 comments

Get-PassHashes does not work on Windows 10 1607. It always returns empty LM/NTLM hashes on execution. I attached a screenshot that shows the problem on a test machine. On the left side is the output from Get-PassHashes, on the right side is the (correct) output from mimikatz. capture

cfalta avatar Feb 14 '17 14:02 cfalta

Hi, sorry for the late reply. Let me test the issue.

samratashok avatar Feb 18 '17 17:02 samratashok

Hi,

thanks for looking into it. From what I can tell so far, the problem seems to be the powerdump code that gets the encrypted hashes from the SAM. At line 321 start two checks to verify the LM/NTLM header in the registry (-eq 20) and these checks never succed in Windows 10. I guess they changed something in the layout and therefore the hashes aren't located at the same offsets anymore. Do you know if there's some kind of documentation on this?

Thanks again, best regards

Christoph

cfalta avatar Feb 19 '17 09:02 cfalta