Quarks PwDump 是一款开放源代码的Windows用户凭据提取工具，它可以抓取windows平台下多种类型的用户凭据，包括：本地帐户、域帐户、缓存的域帐户和Bitlocker。作者开发这个工具的原因是现在没有一款工具能同时抓取所有类型的hash和Bitlocker信息。这个工具没有注入任何进程，工作原理是神马呢，源代码值得读一下。

它目前可以导出 :
– Local accounts NT/LM hashes + history 本机NT/LM哈希+历史登录记录
– Domain accounts NT/LM hashes + history 域中的NT/LM哈希+历史登录记录
– Cached domain password 缓存中的域管理密码
– Bitlocker recovery information (recovery passwords & key packages) 使用Bitlocker的恢复后遗留的信息

支持的操作系统 : XP/2003/Vista/7/2008/8
1 / USAGE
=========

Here it is how you can use Quarks PWDump:

quarks-pwdump.exe<option(s)>
Options :
–dump-hash-local
–dump-hash-domain-cached
–dump-hash-domain (NTDS_FILE must be specified)
–dump-bitlocker (NTDS_FILE must be specified)
–with-history (optional)
–output-type JOHN/LC (optional, if no=>JOHN)
–output FILE (optional, if no=>stdout)

Dump options must be user all at once.
In all cases, the tool must be executed on the targeted operating system.

Some command examples:

– Dump domain hashes from NTDS.dit with its history
#quarks-pwdump.exe –dump-hash-domain –with-history

– Dump local account hashes to LC format
#quarks-pwdump.exe –dump-hash-local –output-type LC

– Dump domain hashes from NTDS.dit with its history
#quarks-pwdump.exe –dump-bitlocker –output c:bitlocker.txt c:ntds.dit

All features require administrator privileges.

 

本机测试截图（win7 64）：

下载地址:http://code.google.com/p/quarkspwdump/ (需要翻墙下载)

  QuarksPwDump_v0.2b.zip (280.6 KB, 8,734 次)