Programs for extracting information from the Windows registry

mimikatz

Program mimikatz has many features related to Windows security and stored passwords. Among other things, the program can extract passwords, secrets and hashes both from the system it is running on and from the saved files of the registry hives.

Instructions:

From the extracted hashes, the user's password can be cracked.

RegRippy (regrip.py)

RegRippy is a platform for reading and extracting forensic useful data from Windows registry hives.

Installation on Kali Linux

sudo apt install python3-pip
sudo pip3 install regrippy

Installation in BlackArch

sudo pacman -R regrippy python-enum-compat python-python-registry python-unicodecsv
sudo pip3 install regrippy

This program can also be installed on Windows. Start by installing Python and PIP. After installing Python and PIP on Windows, run the following command:

pip install regrippy

Check if the installation was successful:

regrip.py --help
regrip.py -l

An example of a command that gets the name of the computer (compname) that owns the registry hive located at the path /mnt/disk_d/Share/config/SYSTEM (--system /mnt/disk_d/Share/config/SYSTEM):

regrip.py compname --system /mnt/disk_d/Share/config/SYSTEM

Output example:

HACKWARE-MIAL

An example of a command that displays information about the last logged-in user (lastloggedon) using the SOFTWARE registry hive (--software /mnt/disk_d/Share/config/SOFTWARE):

regrip.py lastloggedon --software /mnt/disk_d/Share/config/SOFTWARE

Output example:

LastLoggedOnSAMUser      .\MiAl
LastLoggedOnUser     .\MiAl
LastLoggedOnUserSID      S-1-5-21-1461214404-118510055-3688602372-1001

RegRipper

RegRipper is an open source tool written in Perl to extract/parse information (keys, values, data) from the registry and present it for analysis.

RegRipper consists of two main tools, each providing similar capabilities. RegRipper's graphical interface allows the analyst to select a registry hive for analysis, an output file for results, and a profile (list of plugins) for working with the hive. When the analyst runs the tool against the registry hive, the results go to the file specified by the analyst. If the analyst decides to analyze the System hive, he can also send the results to system.txt. The GUI tool will also create a log of its activity in the same directory as the output file using the same filename but with a .log extension (that is, if the output is written to system.txt, the log will be written to the system.log).

RegRipper also includes a command line (CLI) tool called rip. Rip can be directed to analyze a hive and can run either a profile (list of plugins) or a separate plugin for that hive, sending the results to STDOUT. Rip can be included in batch files by using redirection operators to send the output to a file. Rip does not keep a log of its activities.

Installing and running on Linux

Download the required files:

git clone https://github.com/keydet89/RegRipper3.0
cd RegRipper3.0

Wine is easiest to run with, so start by installing it.

sudo dpkg --add-architecture i386
sudo apt update
sudo apt install wine winbind

Then run:

wine rr.exe

Installation on Windows

Download and unzip the archive from the link: https://github.com/keydet89/RegRipper3.0/archive/master.zip

To open the GUI, double-click the rr.exe file.

If you want to use the command line utility, open PowerShell or CMD, go to the folder with the unpacked archive and run the file

rip.exe

Running a GUI program on Linux:

wine rr.exe

Select the branch of the registry for analysis and the file name to save the report.

Then click the “Rip!” button.

Wait for the completion of the work.

Open the report file.

Registry Explorer

Registry Explorer is a GUI-based tool used to view the contents of offline registry hives. It can load multiple hives at once, search all loaded hives using strings or regular expressions, export data, you can bookmark selections, save changes made to a project, and much more.

Installing Registry Explorer on Windows

The program is designed to work on Windows and requires a full environment of the Microsoft .net framework version 4.6 or higher (you can download it from the link https://www.microsoft.com/en-us/download/details.aspx?id=49982).

Download the “Registry Explorer/RECmd” archive from https://ericzimmerman.github.io/. Unpack it to any folder, the program is portable and does not require installation.

Double-click the RegistryExplorer.exe file to launch the GUI.

creddump

creddump is a Python tool for extracting various credentials and secrets from Windows registry hives. It currently retrieves:

  • LM and NT hashes (protected by SYSKEY)
  • Domain cached passwords
  • LSA secrets

The program is preinstalled in Kali Linux.

Installation in BlackArch:

sudo pacman -S creddump

An example of a command that displays local password hashes, registry hives are located in the /mnt/disk_d/Share/config/SYSTEM and /mnt/disk_d/Share/config/SAM files:

python2 ./pwdump.py /mnt/disk_d/Share/config/SYSTEM /mnt/disk_d/Share/config/SAM

Output example:

Администратор:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Гость:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
MiAl:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Tester:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

regipy

Regipy is a Python library for parsing offline registry hives.

The program can:

  • Dump the entire registry hive to json
  • Complete transactions in the registry hive according to the log files
  • Compare registry hives
  • Extract information using plugins

Installation on Kali Linux

sudo apt install python3-pip
sudo pip3 install regipy

Installation in BlackArch

sudo pacman -S regipy

Example of command to run plugins to extract information from the SYSTEM hive and save the results to the plugins_output.json file:

registry-plugins-run ~/Documents/TestEvidence/Registry/SYSTEM -o /tmp/plugins_output.json

chntpw

chntpw – this small program allows you to view information and change user passwords in the Windows NT/2000 user database file. You don't need to know the old passwords as they will be overwritten. In addition, it also contains a simple registry editor (writing data of the same size) and a hex editor that lets you tinker with the bits and bytes in the file as you like.

Installing chntpw

The program is preinstalled in Kali Linux.

Installation in BlackArch

sudo pacman -S chntpw

Examples of commands:

Resetting the password for the ShareOverlord user (-u ShareOverlord) when the registry hive is located at /mnt/windows/Windows/System32/config/SAM:

sudo /usr/sbin/chntpw /mnt/windows/Windows/System32/config/SAM -u ShareOverlord

Unlock User Administrator:

sudo /usr/sbin/chntpw /mnt/windows/Windows/System32/config/SAM -u Администратор

Instructions: How to reset a Windows password

Retrieving Windows Registry Hives from Virtual Machines

With the virt-win-reg utility included in the libguestfs package, you can extract Windows registry hives directly from virtual disks without even starting the virtual machines. For details on libguestfs, see “How to open disks of virtual machines and download and upload files to them”.

virt-win-reg allows you to extract Windows registry hives, including those available only for the System account.

General command form:

virt-win-reg '/PATH/TO/VIRTUAL/DISK' 'REGISTRY\HIVE'

By default, the content will be displayed on the screen, so you must use output redirection to save the data to a file.

For example, the command to extract the HKEY_LOCAL_MACHINE\SYSTEM hive from the Windows operating system, whose virtual disk is located in mnt/disk_d/Виртуальные машины/Windows 10 (en).vdi and save the resulting data to the SYSTEM.reg file:

virt-win-reg '/mnt/disk_d/Виртуальные машины/Windows 10 (en).vdi' 'HKEY_LOCAL_MACHINE\SYSTEM' > SYSTEM.reg

Another example, extracting the HKEY_LOCAL_MACHINE\SAM registry hive from the disk image /mnt/disk_d/Виртуальные машины/Windows Server 2019.vdi and saving the data to the SAM.reg file:

virt-win-reg '/mnt/disk_d/Виртуальные машины/Windows Server 2019.vdi' 'HKEY_LOCAL_MACHINE\SAM' > SAM.reg

NirSoft registry utilities

To work with the registry, pay attention to such utilities as:

  • RegScanner
  • OfflineRegistryFinder
  • OfflineRegistryView
  • RegistryChangesView
  • RegFromApp
  • RegDllView
  • ActiveXHelper
  • RegFileExport

Windows Registry Tools: https://www.nirsoft.net/windows_registry_tools.html

winregfs

The winregfs program mounts the Windows registry hives to the file system. This allows you to navigate through the key hierarchy like regular folders, and the values can be edited like regular text files.

In addition, the package has a tool called “fsck.winregfs” that performs basic integrity checks on the registry hive.

Installation on Kali Linux

sudo apt install winregfs

Installation in BlackArch

sudo pacman -S winregfs

To use winregfs, create a mount directory and point it to the registry hive of interest:

mkdir /tmp/reg
mount.winregfs /mnt/disk_d/Share/config/SOFTWARE /tmp/reg

Now you can see everything in this hive in the “/tmp/reg” directory:

ls /tmp/reg

Output example:

Let's say you want to see programs that automatically start when you turn on your computer.

ls -l /tmp/reg/Microsoft/Windows/CurrentVersion/Run

Output example:

You want to see what these values contain.

for X in /tmp/reg/Microsoft/Windows/CurrentVersion/Run/*; do echo -en "$X\n "; cat "$X"; echo; done

Output example:

libregf

libregf is similar to winregfs, that is, it mounts the Windows registry file to the file system. This allows you to navigate through the key hierarchy like regular folders, and the values can be edited like regular text files.

Installation on Kali Linux

sudo apt install libregf-utils

Installation in BlackArch

sudo pacman -S git autoconf automake libtool pkg-config
git clone https://github.com/libyal/libregf
cd libregf/
./synclibs.sh
./autogen.sh
./configure
make
sudo make install

To mount the REGF file (Windows registry hive) /mnt/disk_d/Share/config/SOFTWARE to the /tmp/reg directory:

mkdir /tmp/reg
regfmount /mnt/disk_d/Share/config/SOFTWARE /tmp/reg

This command will open directories and files containing the items contained in the REGF file.

Now you can see everything in this hive in the “/tmp/reg” directory:

ls /tmp/reg

Output example:

Let's say you want to see programs that automatically start when you turn on your computer.

ls -l '/tmp/reg/Microsoft/Windows/CurrentVersion/Run/(values)/'

Output example:

You want to see what these values contain.

for X in '/tmp/reg/Microsoft/Windows/CurrentVersion/Run/(values)/'*; do echo -en "$X\n "; cat "$X"; echo; done

Output example:

Recommended for you:

Leave a Reply

Your email address will not be published.