LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What does pwdump do, and what is the format of its output?

pwdump extracts password hashes from the Windows SAM database — the format is username:SID:LM_hash:NTLM_hash:::.

The SAM database:

Windows stores local user password hashes in the Security Account Manager (SAM) — a registry hive at C:\Windows\System32\config\SAM. It's locked while Windows runs and accessible only to SYSTEM.

What pwdump does:

  1. Uses Windows API + registry tricks to bypass the SAM lock
  2. Reads each user's stored credentials
  3. Outputs in a parseable format

Example output:

Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:6A83812D1B40D8EEFFAD65E787739CF7:::
Gast:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::
labstudent:1000:AAD3B435B51404EEAAD3B435B51404EE:6A83812D1B40D8EEFFAD65E787739CF7:::

Format breakdown:

Field Meaning
Administrator Username
500 SID (Security Identifier) — 500 is always built-in admin
AAD3... LM hash (legacy, mostly disabled — AAD3B43... = empty)
6A83... NTLM hash — the one to crack
::: Trailing separator (empty fields)

The LM hash quirk:

AAD3B435B51404EEAAD3B435B51404EE is the LM hash of an empty string — modern Windows disables LM hashes by default, so you'll see this constant for everyone.

Why NTLM is crackable:

NTLM = unsalted MD4 of UTF-16 password. Two huge weaknesses:

  • No salt → identical passwords produce identical hashes
  • Fast hash → GPUs can compute ~100 billion NTLM/sec

Modern Windows uses additional protections (Credential Guard, Kerberos), but legacy NTLM hashes are still in many networks.

Tip: Ophcrack's PWDUMP parser expects each line to end with :::, so cracking workflows add three trailing colons to every line. Forgetting them → "file format error."

Naming note: You may see the trailing value described as an "AES-128 encrypted hash." In practice pwdump8 emits the standard LM:NTLM PWDUMP format shown above (the value to crack is the NTLM hash, an unsalted MD4). The Windows SAM does wrap stored hashes with an AES key on disk (since Windows 10), which is where that "AES-128" description comes from — but pwdump8 unwraps them and outputs the raw NTLM hash that Ophcrack then cracks via rainbow tables.

Go deeper:

From Quiz: INTROL / Password Cracking | Updated: Jul 14, 2026