forked from EricZimmerman/KapeFiles
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request EricZimmerman#773 from stark4n6/master
Windows Hello 2 Hashcat
- Loading branch information
Showing
2 changed files
with
147 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| Description: 'Windows Hello 2 Hashcat' | ||
| Category: Windows | ||
| Author: Kevin Pagano | ||
| Version: 1.0 | ||
| Id: 07a020cc-ef74-4746-bcf9-04c6575ec4a4 | ||
| BinaryUrl: https://github.com/Banaanhangwagen/WINHELLO2hashcat | ||
| ExportFormat: txt | ||
| Processors: | ||
| - | ||
| Executable: WINHELLO2hashcat.exe | ||
| CommandLine: --windows %sourceDirectory% | ||
| ExportFormat: txt | ||
| ExportFile: winhello_hash.txt | ||
|
|
||
| # Documentation | ||
| # WINHELLO2hashcat - Extracts "hash" from Windows Hello PIN for cracking in Hashcat | ||
| # https://github.com/Banaanhangwagen/WINHELLO2hashcat | ||
| # Make sure to have the python package "dpapick3" per the requirements for the .py | ||
| # You will need to package the .py to .exe for running in KAPE via https://pypi.org/project/auto-py-to-exe/ | ||
| # It is recommended to collect with KAPE Target first and then parse the Windows directory as input |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,127 @@ | ||
| Description: Windows Hello | ||
| Author: Kevin Pagano | ||
| Version: 1.0 | ||
| Id: 4d41e991-989a-4163-954e-2f44bd55eb71 | ||
| RecreateDirectories: true | ||
| Targets: | ||
| - | ||
| Name: Cryptokeys | ||
| Category: Windows Hello | ||
| Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\ | ||
| Recursive: true | ||
| - | ||
| Name: Masterkey | ||
| Category: Windows Hello | ||
| Path: C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\ | ||
| Recursive: true | ||
| - | ||
| Name: NGC | ||
| Category: Windows Hello | ||
| Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc\ | ||
| Recursive: true | ||
| - | ||
| Name: SECURITY registry transaction files | ||
| Category: Registry | ||
| Path: C:\Windows\System32\config\ | ||
| FileMask: SECURITY.LOG* | ||
| - | ||
| Name: SECURITY registry transaction files | ||
| Category: Registry | ||
| Path: C:\Windows.old\Windows\System32\config\ | ||
| FileMask: SECURITY.LOG* | ||
| - | ||
| Name: SOFTWARE registry transaction files | ||
| Category: Registry | ||
| Path: C:\Windows\System32\config\ | ||
| FileMask: SOFTWARE.LOG* | ||
| - | ||
| Name: SOFTWARE registry transaction files | ||
| Category: Registry | ||
| Path: C:\Windows.old\Windows\System32\config\ | ||
| FileMask: SOFTWARE.LOG* | ||
| - | ||
| Name: SYSTEM registry transaction files | ||
| Category: Registry | ||
| Path: C:\Windows\System32\config\ | ||
| FileMask: SYSTEM.LOG* | ||
| - | ||
| Name: SYSTEM registry transaction files | ||
| Category: Registry | ||
| Path: C:\Windows.old\Windows\System32\config\ | ||
| FileMask: SYSTEM.LOG* | ||
| - | ||
| Name: SECURITY registry hive | ||
| Category: Registry | ||
| Path: C:\Windows\System32\config\ | ||
| FileMask: SECURITY | ||
| - | ||
| Name: SECURITY registry hive | ||
| Category: Registry | ||
| Path: C:\Windows.old\Windows\System32\config\ | ||
| FileMask: SECURITY | ||
| - | ||
| Name: SOFTWARE registry hive | ||
| Category: Registry | ||
| Path: C:\Windows\System32\config\ | ||
| FileMask: SOFTWARE | ||
| - | ||
| Name: SOFTWARE registry hive | ||
| Category: Registry | ||
| Path: C:\Windows.old\Windows\System32\config\ | ||
| FileMask: SOFTWARE | ||
| - | ||
| Name: SYSTEM registry hive | ||
| Category: Registry | ||
| Path: C:\Windows\System32\config\ | ||
| FileMask: SYSTEM | ||
| - | ||
| Name: SYSTEM registry hive | ||
| Category: Registry | ||
| Path: C:\Windows.old\Windows\System32\config\ | ||
| FileMask: SYSTEM | ||
| - | ||
| Name: SECURITY registry hive (RegBack) | ||
| Category: Registry | ||
| Path: C:\Windows\System32\config\RegBack\ | ||
| FileMask: SECURITY | ||
| - | ||
| Name: SECURITY registry hive (RegBack) | ||
| Category: Registry | ||
| Path: C:\Windows.old\Windows\System32\config\RegBack\ | ||
| FileMask: SECURITY | ||
| - | ||
| Name: SOFTWARE registry hive (RegBack) | ||
| Category: Registry | ||
| Path: C:\Windows\System32\config\RegBack\ | ||
| FileMask: SOFTWARE | ||
| - | ||
| Name: SOFTWARE registry hive (RegBack) | ||
| Category: Registry | ||
| Path: C:\Windows.old\Windows\System32\config\RegBack\ | ||
| FileMask: SOFTWARE | ||
| - | ||
| Name: SYSTEM registry hive (RegBack) | ||
| Category: Registry | ||
| Path: C:\Windows\System32\config\RegBack\ | ||
| FileMask: SYSTEM | ||
| - | ||
| Name: SYSTEM registry hive (RegBack) | ||
| Category: Registry | ||
| Path: C:\Windows.old\Windows\System32\config\RegBack\ | ||
| FileMask: SYSTEM | ||
| - | ||
| Name: SYSTEM registry hive (RegBack) | ||
| Category: Registry | ||
| Path: C:\Windows\System32\config\RegBack\ | ||
| FileMask: SYSTEM1 | ||
| - | ||
| Name: SYSTEM registry hive (RegBack) | ||
| Category: Registry | ||
| Path: C:\Windows.old\Windows\System32\config\RegBack\ | ||
| FileMask: SYSTEM1 | ||
|
|
||
| # Documentation | ||
| # Files and folders to be used for cracking the Windows Hello PIN | ||
| # NOTE: You may need to uncheck the "Deduplicate" function in KAPE as it may filter out needed Cryptokey files | ||
| # https://github.com/Banaanhangwagen/WINHELLO2hashcat | ||
| # https://hashcat.net/forum/thread-10461.html |