wcreddump: Fully automated windows credentials dumper, from SAM and WINHELLO

wcreddump

On one hand, sam dumping tools are widely used, but surprisingly not very automated. On the other hand, WINHELLO pin-dumping tools barely exist. This simple and lightweight Python script is made to automate the process of credential dumping for both of these cases.

Requirements

Requires the following conditions :

  • To be run from a GNU/Linux terminal (python wcreddump.py)
  • pypykatz installed on a system (apt install pypykatz)
  • python >=3.10 with the following libs installed : dpapick3, PyCryptodome (pip install dpapick3 PyCryptodome)
  • WINHELLO2hashcat.py in the same directory as wcreddump.py 
  • A mounted drive with a windows os on it

Download

git clone https://github.com/truerustyy/wcreddump.git

Use

 

credential dumping

Dumped data will be printed in the terminal and saved automatically in the folder outputs with the name of the drive and current Unix time if autosave is set as True. outputs folder will be automatically created if inexistent. Dumped hashes can be cracked using JTR or hashcat with -m 1000 for NTLM.s from SAM hive, and -m 28100 for pin.s from WINHELLO (https://hashcat.net/wiki/doku.php?id=example_hashes)

Other infos

Tool tested on Windows 10 22H2 build 19045.4170. As said in the remarks, systems with a TPM won’t work as they are protected. As pypykatz automatically dumps some OS infos like LSA secrets or boot keys, it is now possible to save them into a new INFOS file by turning on the dumpInfos boolean. Default to False.

Source: https://github.com/truerustyy/