{
	"id": "fc0c3e6f-4b0b-4743-adce-98c856cfac07",
	"created_at": "2026-04-06T00:13:13.72219Z",
	"updated_at": "2026-04-10T03:21:54.739619Z",
	"deleted_at": null,
	"sha1_hash": "fa807d80ae7c887def66f378d9035a417ab87323",
	"title": "Quarks PwDump - Quarkslab's blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73976,
	"plain_text": "Quarks PwDump - Quarkslab's blog\r\nBy Sébastien Kaczmarek\r\nArchived: 2026-04-05 21:43:47 UTC\r\nQuarks PwDump is new open source tool to dump various types of Windows credentials: local account, domain\r\naccounts, cached domain credentials and bitlocker. The tool is currently dedicated to work live on operating\r\nsystems limiting the risk of undermining their integrity or stability. It requires administrator's privileges and is still\r\nin beta test.\r\nQuarks PwDump is a native Win32 open source tool to extract credentials from Windows operating systems.\r\nIt currently extracts : Local accounts NT/LM hashes + history Domain accounts NT/LM hashes + history stored in\r\nNTDS.dit file Cached domain credentials Bitlocker recovery information (recovery passwords \u0026 key packages)\r\nstored in NTDS.dit\r\nJOHN and LC format are handled. Supported OS are Windows XP / 2003 / Vista / 7 / 2008 / 8\r\nWhy another pwdump-like dumper tool?\r\nNo tools can actually dump all kind of hash and bitlocker information at the same time, a combination of\r\ntools is always needed.\r\nLibesedb (http://sourceforge.net/projects/libesedb/) library encounters some rare crashs when parsing\r\ndifferent NTDS.dit files.\r\nIt's safer to directly use Microsoft JET/ESE API to parse databases originally built with same functions.\r\nhttps://blog.quarkslab.com/quarks-pwdump.html\r\nPage 1 of 4\n\nBitlocker case has been added even if some specific Microsoft tools could be used to dump those\r\ninformation. (Active Directory addons or VBS scripts)\r\nThe tool is currently dedicated to work live on operating systems limiting the risk of undermining their integrity or\r\nstability. It requires administrator's privileges.\r\nWe plan to make it work full offline, for example on a disk image.\r\nHow does it internally work?\r\nCase #1: Domain accounts hashes are extracted offline from NTDS.dit\r\nIt's not currently full offline dump cause Quarks PwDump is dynamically linked with ESENT.dll (in charge of\r\nJET databases parsing) which differs between Windows versions. For example, it's not possible to parse Win 2008\r\nNTDS.dit file from XP. In fact, record's checksum are computed in a different manner and database files appear\r\ncorrupted for API functions. That's currently the main drawback of the tool, everything should be done on domain\r\ncontroller. However no code injection or service installation are made and it's possible to securely copy NTDS.dit\r\nfile by the use of Microsoft VSS (Volume Shadow Copy Service).\r\nCase #2: Bitlocker information dump\r\nIt's possible to retrieve interesting information from ActiveDirectory if some specific GPO have been applied by\r\ndomain administrators (mainly \"Turn on BitLocker backup to Active Directory\" in group policy). Recovery\r\npassword: it's a 48-digits passphrase which allow a user to mount its partition even if its password has been lost.\r\nThis password can be used in Bitlocker recovery console.\r\nKey Package : it's a binary keyfile which allow an user to decipher data on a damaged disk or partition. It can be\r\nused with Microsoft tools, especially Bitlocker Repair Tool.\r\nFor each entry found in NTDS.dit, Quarks PwDump show recovery password to STDOUT and keyfiles (key\r\npackages) are stored to separate files for each recovery GUID: {GUID_1}.pk, {GUID_2}.pk,...\r\nhttps://blog.quarkslab.com/quarks-pwdump.html\r\nPage 2 of 4\n\nVolume GUID: an unique value for each BitLocker-encrypted volume. Recovery GUID: recovery password\r\nidentifier, it could be the same for different encrypted volumes.\r\nQuarks PwDump does no retrieve TPM information yet. When ownership of the TPM is taken as part of turning\r\non BitLocker, a hash of the ownership password can be taken and stored in AD directory service. This information\r\ncan then be used to reset ownership of the TPM. This feature will be added in a further release.\r\nIn an enterprise environment, those GPO should be often applied in order to ensure administrators can unlock a\r\nprotected volume and employers can read specific files following an incident (intrusion or various malicious acts\r\nfor example).\r\nCase #3: Local account and cached domain credentials\r\nThere aren't something really new here, a lot of tools are already dumping them without any problems. However\r\nwe have choosed an uncommmon way to dump them, only few tools use this technique.\r\nHashes are extracted live from SAM and SECURITY hive in a proper way without code injection/service. In fact,\r\nwe use native registry API, especially RegSaveKey() and RegLoadKey() functions which require SeBackup and\r\nSeRestore privileges. Next we mount SAM/REGISTRY hives on a different mount point and change all keys ACL\r\nin order to extend privileges to Administrator group and not LocalSystem only. That's why we choose to work on a\r\nbackup to preserve system integrity.\r\nWriting this tool was not a really difficult challenge, windows hashes and bitlocker information storage\r\nmethodology are mostly well documented. However it's an interesting project to understand strange Microsoft's\r\nimplementation and choices for each kind of storage:\r\nHigh level obfuscation techniques are used for local and domain accounts hashes: many constants, atypical\r\nregistry value name, useless ciphering layer, hidden constants stored in registry Class attribute,...However,\r\nit can be easily defeated.\r\nUsed algorithms differ sometimes between windows version and global credentials storage approach isn't\r\nregular. We can find exhaustively: RC4, MD5, MD4, SHA-256, AES-256, AES-128 and DES.\r\nBitlocker information are stored in cleartext in AD domain services.\r\nhttps://blog.quarkslab.com/quarks-pwdump.html\r\nPage 3 of 4\n\nProject is still in beta test and we would really appreciate to have feedbacks or suggestions/comments about\r\npotential bugs.\r\nBinary and source code are available on GitHub (GNU GPL v3 license):\r\nQuarks PwDump v0.1b: https://github.com/quarkslab/quarkspwdump\r\nFor NTDS parsing technical details, you can also refer to MISC MAG #59 article by Thibault Leveslin. Finally,\r\nwe would like to greet NTDS hash dump (Csaba Barta), libesedb and creddump authors for their excellent work.\r\nIf you would like to learn more about our security audits and explore how we can help you, get in touch with us!\r\nSource: https://blog.quarkslab.com/quarks-pwdump.html\r\nhttps://blog.quarkslab.com/quarks-pwdump.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.quarkslab.com/quarks-pwdump.html"
	],
	"report_names": [
		"quarks-pwdump.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434393,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa807d80ae7c887def66f378d9035a417ab87323.pdf",
		"text": "https://archive.orkl.eu/fa807d80ae7c887def66f378d9035a417ab87323.txt",
		"img": "https://archive.orkl.eu/fa807d80ae7c887def66f378d9035a417ab87323.jpg"
	}
}