You should be familiar with the well known tool PWDUMP2 from Todd Sabin; it is an application which dumps the password hashes (OWFs) from NT's SAM (Security Account Manager) database, whether or not SYSKEY is enabled on the system. Cain's NT Hashes Dumper does exactly the same thing and allows you to import password hashes directly into the relative "LM & NTLM Hashes" password cracker tab.

What Cain's NT Hashes Dumper offers more than PWDUMP2 is the ability to dump password history hashes. Windows can be instructed to remember a number of previous user's passwords using the Password Security Policy "Enforce Password History". In this way the user cannot choose a password used before as the new one. The operating system stores history passwords under the same form as those currently used but those kind of hashes are not returned, as in PWDUMP2, by the "SamrQueryInformationUser" function of SAMSRV.DLL; they have to be extracted using the native function "SamIGetPrivateData" and decrypted later by "SystemFunction025" and "SystemFunction027" of ADVAPI32.DLL.

How it works

This feature of the program follows the same methodology used by Todd Sabin in his PWDUMP2 program to dump NT hashes present on the system. It uses the "DLL injection" technique to run a thread in the same security context of the Local Security Authority Subsystem process. The thread's executable code must first be copied to the address space of LSASS process and this requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.

Once injected and executed the thread will run with the same access privileges of the Local Security Authority Subsystem; it will load the functions "DumpHashes"and "DumpHistory" from Abel.dll that will enumerate user's hashes present in the SAM database. This is done by mean of some native functions of SAMSRV.DLL library like "SamrEnumerateUsersInDomain", "SamrOpenUser", "SamrQueryInformationUser" and "SamIGetPrivateData". The thread stores the data returned from these functions in two temporary files named hashes.txt and history.txt located in the same directory of the program. Finally, the content of these files is put on the screen and the temporary files are deleted.


Cain can also import SYSKEY encrypted NT hashes from "off-line" SAM database files. This feature requires the correct Boot Key (Startup Key), created with the SYSKEY utility, to decrypt the encrypted hashes. The Boot Key is usually stored in the SYSTEM registry file, you can use Cain's Syskey Decoder to recover it for you.


To dump NT hashes you can press the "Insert" button on the keyboard or click the icon with the blue + on the toolbar.




From the dialog you can choose the source of the import function, the local system, a text file (from PWDUMP or L0phtCrack) or an off-line SAM file.


If you need to recover hashes from a SAM file not encrypted by SYSKEY, simply leave the Boot Key field empty.


Once dumped, password hashes can be sent to LM & NTLM cracker using the list pop up menu.


The local system import function requires an account with the SeDebugPrivilege user right. By default only Administrators have this right. Abel.dll is also required by the remote thread injected into LSASS process. The extraction from a SYSKEY encrypted SAM file requires the correct Boot Key to decode the hashes.