Post-exploitation NTLM password hash extractor.
Extract local NTLM user password hashes from the registry handling latest AES-128-CBC with IV obfuscation techniques introduced with Windows 10 1607 as well as the traditional MD5/RC4 approach used in Windows 7/8/8.1.
Note: Requires to be run as SYSTEM
.
See ImpersonateSystem to accomplish that from within an elevated context.
So far the script has been tested to work on:
- Windows 10 1809 with PowerShell 5.1
- Windows 8.1 with PowerShell 4.0
- Windows 7 with PowerShell 2.0
Install from PowerShell Gallery
Install-Module -Name NTLMX
or
git clone https://github.com/tobiohlala/NTLMX
Import-Module NTLMX
Get-NTLMLocalPasswordHashes
Get-Help Get-NTLMLocalPasswordHashes -Examples