How and where are Windows passwords stored on the disk, and what algorithms are used to hash them?

Question

I would like to implement a version the hash algorithm in a C# application, and need to know how Windows hashes and checks the passwords. I also need to know where they are stored. As far as I know, in the SAM file under C:\Windows\System32\config. Is that correct?

Answer 1

Nothing tricky here. the NTLM hash is just the MD4 of the unicode password. MD4 is irresponsibly weak, so you will need a comprehensive crypto lib, like Bouncy Castle. MS has no native methods for it.

also, the best reference on the topic.

using Org.BouncyCastle.Crypto.Generators;

using Org.BouncyCastle.Crypto.Parameters;

using Org.BouncyCastle.Security;

using Org.BouncyCastle.Crypto.Digests;

I think those cover it. I hope...

here is one that returns it as a byte[], which you can convert as needed.

    /// <summary>
    /// Convert Password to NT Hash.  Convert to unicode and MD4
    /// </summary>
    /// <param name="passwordIn">password In</param>
    /// <returns>NT Hash as byte[]</returns>
    public static byte[] NTHashAsBytes(string passwordIn)
    {
        MD4Digest md = new MD4Digest();
        byte[] unicodePassword = Encoding.Convert(Encoding.ASCII, Encoding.Unicode, Encoding.ASCII.GetBytes(passwordIn));


        md.BlockUpdate(unicodePassword, 0, unicodePassword.Length);
        byte[] hash = new byte[16];
        md.DoFinal(hash, 0);


        return hash;
    }

Answer 2

Which "Windows" format do you mean?

NTLMv1 or NTLMv2?

LM?

DCC/MSCash/MS-Cache?

DCC2/MSCash2/MS-Cache2?

See also the question Windows 7 Password Hash Security.