Skip to content
›_Secrets Dump

Posts tagged: #windows

Back to all posts
Decrypting local account hashes from the SAM hive
From the hashed boot key to a user's NT hash: the F and V structures, the RC4 vs AES storage formats, and the per-RID DES layer that wraps every Windows password hash.
windowscredentialssamntlm
How the Windows boot key (syskey) works
The boot key is the root of all offline credential dumping. Here is where it lives, why it is scrambled across four registry keys, and how to reassemble it from the SYSTEM hive.
windowscredentialsregistrysyskey
Inside NTDS.dit: the ESE database and the PEK
A domain controller stores every account hash in an ESE database. Here is how the datatable is laid out, how the Password Encryption Key is derived, and how each hash is unwrapped.
windowsactive-directoryntdsese
LSA secrets and cached domain credentials
The SECURITY hive stores service passwords, the machine account, DPAPI keys, and offline logon caches. Here is how the LSA key unlocks them — and why DCC2 is salted but still dumpable.
windowscredentialslsadcc2