Windows hashes are saved in SAM
file (encrypted with SYSTEM
file) on your computer regardless of the fact that you are using Microsoft account. It needs to be done this way to allow you to log in to your computer, even if you are not connected to the internet. If you change your password using account.microsoft.com, you will still be able to log in to your computer with your old password (even if you are using Microsoft account). After logging in to the system, you will be prompted to type new password, but as long as you don't type new password, you will be able to use old password to log in to your computer. After you type new password, SAM
(and possibly SYSTEM
) file will be updated.
You (wrongly) get 31d6cfe0d16ae931b73c59d7e0c089c0
hash of your password because format of the SAM
and/or SYSTEM
files has changed since Windows 10 Anniversary update (see: similar problem), thus tools like chntpw
, bkhive
, pwdump
, samdump2
print hash of the empty password (I verified it on my Windows 10). Since this update, Windows uses AES128 to encrypt password's MD4 hash. Because of that, nearly all tutorials regarding Windows password recovery became outdated.
Fortunately there is a tool called mimikatz
(Windows-only, but can be ran on Linux by using Wine) created by Benjamin Delpy, that can read passwords' hashes saved in Windows' new format. Note that Windows Defender and Symantec antivirus treats it as a 'Hack Tool' and removes it, so you need to disable them before running mimikatz
(run as a administrator).
mimikatz
consists of many modules, but you should explore lsadump
module, particularly lsadump::sam
function.
Excerpt from docs:
If you're not SYSTEM
or using an impersonated SYSTEM
token, you'll have access denied error:
mimikatz # lsadump::sam
Domain : VM-W7-ULT-X
SysKey : 74c159e4408119a0ba39a7872e9d9a56
ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x00000005)
In this case, you can use psexec
to begin SYSTEM
(or other tools) or elevate with token::elevate
command to impersonate a SYSTEM
token:
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # token::whoami
* Process Token : 623884 vm-w7-ult-x\Gentil Kiwi S-1-5-21-1982681256-1210654043-1600862990-1000 (14g,24p) Primary
* Thread Token : no token
mimikatz # token::elevate
Token Id : 0
User name :
SID name : AUTORITE NT\Système
228 24215 AUTORITE NT\Système S-1-5-18 (04g,30p) Primary
-> Impersonated !
* Process Token : 623884 vm-w7-ult-x\Gentil Kiwi S-1-5-21-1982681256-1210654043-1600862990-1000 (14g,24p) Primary
* Thread Token : 624196 AUTORITE NT\Système S-1-5-18 (04g,30p) Impersonation (Delegation)
mimikatz # lsadump::sam
Domain : VM-W7-ULT-X
SysKey : 74c159e4408119a0ba39a7872e9d9a56
SAMKey : e44dd440fd77ebfe800edf60c11d4abd
RID : 000001f4 (500)
User : Administrateur
LM :
NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
RID : 000001f5 (501)
User : Invité
LM :
NTLM :
RID : 000003e8 (1000)
User : Gentil Kiwi
LM :
NTLM : cc36cf7a8514893efccd332446158b1a
You can download x86
and amd64
binaries of the mimikatz
here.
As a side note – if you want to make sure that password's hash is hash of your password, you can easily do it using Python:
user@mycompa:~$ python3
Python 3.5.3 (default, Jan 19 2017, 14:11:04)
[GCC 6.3.0 20170118] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib, binascii
>>> passwd = "password"
>>> hash = hashlib.new('md4', passwd.encode('utf-16le')).digest()
>>> print(binascii.hexlify(hash))
b'8846f7eaee8fb117ad06bdd830b7586c'