Friday, September 4, 2015

Extracting Windows Users Password Hints with PowerShell

This is a quick blog post about extracting Password Hints for Windows users using PowerShell. Recently, while playing with Windows Registry, I found that it is trivial to extract password hints from Registry. It is available with metasploit as well. Since, I do Post Exploitation almost completely with PowerShell, I wrote Get-PassHints.ps1 to extract password hints for Windows Users using PowerShell. The password hints are stored in the HKLM:\SAM registry hive and we must run Get-PassHints from an elevated shell to be able to read the SAM hive. Though SYSTEM access is required to access the SAM hive, this neat trick by an anonymous user helped me to change permissions of the HKLM:\SAM\SAM\Domains hive where the password hints are stored. This way, we can use Administrative access instead of SYSTEM to read the SAM hive.

Here is how to use Get-PassHints:

And this is how it looks like in action:

Get-PassHints is available in the Gather category of Nishang:

Nothing new or extraordinary here. In fact, a domain computer can't have password hints unless there is a local user created before joining the computer to a domain.

Hope you enjoyed this!

If you liked the post and want to learn more and/or want to support my research and work, join me for a two days training "PowerShell for Penetration Testers" at:
DeepSec, Vienna (November 17-18th, 2015) -

No comments:

Post a Comment